Lifecycle and Problems of Ransomware Attacks

INTRODUCTION

The internet is a very powerful and amazing tool for communication that is very important in our everyday lives. The fact that it is used in all spheres of our daily lives have never been in doubt over the years the internet has formed an integral tool for entertainment, information, communication. It is also been used expansively in banking, healthcare, transportation, entertainment, shopping small and big organizations and many more.

But, while the benefits cannot be disputed, the attached risks are more elusive and difficult for the individual user to counter (Halcu, 2018).  Unauthorized access to personal data, misuse of the same and malicious software attacks constantly make headlines in the media (Halcu, 2018)

Much like other malware types, ransomware starts an attack by trying to remain undetected, slowly encrypting files one after another to avoid suspicion. It’s only once all the targeted files or system is encrypted that the ransomware will make itself known, usually in the form of an impassable splash screen. It’s from this splash screen that users are first told that their files are locked and that in order to retrieve their data they are required to pay a cash sum. The exact wording of the demands vary between ransomware strains, but most demand some sort of payment within a specified timeframe. Some messages are aggressive in the hopes of scaring the user into a quick payment, while others attempt to masquerade as legitimate organizations, such as the FBI. (Dale, 2018)

Locker and crypto are the two main types of ransomware in circulation today, this was highlighted in a symantec report authored by kevin Savage, Peter Coogan and Hon Lau (Savage, et al., 2015)

Locker Ransomware (computer locker) is designed to deny access to computing resources. This usually takes the shape of lockup the computers or device’s computer programme then asking the user to pay a fee so as to revive access thereto (Savage, et al., 2015). Locked computers will often be left with limited capabilities, such as only allowing the user to interact with the ransomware and pay the ransom (Savage, et al., 2015) This means access to the mouse might be disabled and the keyboard functionality might be limited to numeric keys (Savage, et al., 2015) allowing the victim to only type numbers to indicate the payment or device while (Savage, et al., 2015) Crypto ransomware (data locker) is designed to find and encrypt valuable data stored on the computer, making the data useless unless the user obtains the decryption key.

PART 1

CURRENT ESTIMATES OF THE SCALE OF THE RANSOMWARE PROBLEM

Ransomware is one of the most monumental threats facing individuals and organizations today. Ransomware is a kind of malware that is used to lock users out of systems and withhold their data until a fee is paid to the attacker. The attacker usually demands cash payment in cryptocurrency either in bitcoin or monero (Dale, 2018).

The very first ransomware virus, the AIDS Trojan was created by Harvard-trained Joseph L Popp in 1989, 20,000 infected diskettes were distributed to the World Health Organisation’s International AIDS conference attendees. The Trojan’s main weapon was symmetric cryptography. It did not take long for decryption tools to recover the file names, but this effort set in motion over almost three decades of ransomware attacks (Francis, 2016)

Over the years attackers have been able to improve and developed the ransomware business model using dangerous malware, strong encryption, anonymous Bitcoin payments, and vast spam campaigns to create dangerous and wide-ranging malware. (Symantec, 2017)

There have been an increase of attackers, While consumers in particular (69 percent of all infections) are at risk from ransomware, this year saw evidence that ransomware attackers may be branching out and developing even more sophisticated attacks, such as targeted ransomware attacks on businesses that involved initial compromise and network traversal leading to the encryption of multiple machines. Ransomware looks set to continue to be a major source of concern globally in 2017 (Symantec, 2017)

Symantec report of 2017 exposed some key findings that due to its prevalence and destructive nature,  ransomware remained the most dangerous cyber-crime threat facing consumers and businesses in 2016 (Symantec, 2017). Symantec also reported that the average ransom amount has shot upwards, jumping 266 percent from US$294 in 2015 to $1,077 (Symantec, 2017).

Deloitte report of 2016 shows that the number of reported attacks keep rising and there is no signs of the numbers coming down, in the first quarter of 2016 there was an average attack of more than 4000 per day a 300% increase over an average of 1000 attacks observed per day in 2015 see figure 1 (Deloitte, 2016)

Ransomware Attacks Per Day

                      

4500

4000

3500

3000

2500

2000

1500

1000

 500

0

                                            2015                               2016 Q1

Ransomware Attacks Per Day

Figure 1 (Average number of ransomware attacks per day in Q1 2015 and 2016)

Some software tools have been develop to block ransomware attack before they are installed on the victims computer these tools are blocked to detect malicious behavioural patterns of malwares.

While antivirus detections of ransomware amount to a small percentage of the overall number of attacks, the notable uptick in detections during the year suggests that ransomware activity increased during 2016 (Symantec, 2017)

Average global ransomware detections per day

Ransomware antivirus detections increased by 36 percent compared to 2015, rising from an average of 933 per day in 2015 to 1,271 per day in 2016. (See figure 2) (Symantec, 2017)

  

 Figure 2 Average global ransomware detections per day

Survey carried out by Symantec showed that an average of 35,000 ransomware is detected by antivirus per month by the beginning of the year which rose to more than 40,000 at the end of the year (Symantec, 2017).

Ransomware attacks for 2017 was dominated by the stories of WannaCry and Petya/ NotPetya attacks (Symantec, 2018).  Although there have been an increase of ransomware infections since 2013 that it reached a record high of 1271 detections per day 2016, ransomware detections per day in 2017 was approximately 1,242 WannaCry and Petya/NotPetya detections numbers was not included (Symantec, 2018)

Symantec survey of 2017 shows that the United States of America continues to maintain the region mostly affected by ransomware. Japan is affected by 9%, Italy 7%, Canada 4%, and India 4%, others are Netherlands 3%, Russia 3%. Germany 3%, United Kingdom 3% AND Australia 3%. From the result of the survey you can see from the result that the attacker’s keeps concentrating on developed and stable economies that have the capacity to pay the ransom (See figure 3) (Symantec, 2017)

According to an IBM Security report of 2016, there have been an increase in the ransomware attachment to spam, it has gone up from 0.6% in 2015 to nearly 40% YTD in 2016. (See figure 2) (Kessem, 2016)

Percentage of Spam with ransomware attachments

 

 

 

 

 

 

Figure 4.     Source: IBM X-Force, 2016

A survey carried out by IBM Security shows data for which business executives are most likely to pay ransom to recover lost data to hackers before it is compromised

About 60 percent of respondents indicate that their organization would be willing to pay some sort of ransom in order to recover stolen data:

• Financial records – 62 percent

• Customer and sales records – 62 percent

• Corporate email system/server – 61 percent

• Intellectual property – 60 percent

• Human resource records – 60 percent

• Corporate cloud system access – 60 percent

• Business plans – 58 percent

• R&D plans – 58 percent

• Source code – 58 percent (Kessem, 2016)

THE TYPICAL LIFECYCLE OF RANSOMWARE, INCLUDING THE KEY STAGES OF THE KILL CHAIN

There are various ways that an attacker can plant Ransomware on a victims machine or systems, the 2 most common methods of ransomware attack is through phishing emails and fraudulent websites. An attack can either be to a specific target or distributed randomly distributed to different users (MANVEER PATYAL, et al., 2017)

Analysis by Exabeam of 86 ransomware specimens and found out that a surprising amount of commonality in their behaviour, below is the 6 stages of the ransomware kill chain (see figure 5) that are shared by all ransomware strains (Exabeam, 2016)

The main stages of the Ransomware Kill Chain are as follows (figure 5) (Exabeam, 2016)

Distribution Campaign: First stage in the kill chain is to distribute and install software to potential victims, during this campaign, users are tricked to downloading a malicious dropper or payload via an email, a watering-hole attack, an exploit kit, or a drive-by-download. This dropper is responsible for kicking off the infection (Exabeam, 2016)

Infection: Once on the victim’s machine, the dropper phones home to download an .exe or other camouflaged executable by connecting to a predefined list of IP addresses that host the C2 server, or by using DGA to connect via pseudo random domains. From this point, the dropper usually copies the malicious executable to a local directory such as Temp folder or %AppData%/local/temp. Finally, the dropper script is terminated, removed, and the malicious payload is executed (Exabeam, 2016)

Find Out How UKEssays.com Can Help You!
Our academic experts are ready and waiting to assist with any writing project you may have. From simple essay plans, through to full dissertations, you can guarantee we have a service perfectly matched to your needs.
View our services

Staging: The Staging phase is where the ransomware performs various housekeeping items to ensure smooth operation, the ransomware will move itself to a new folder then dissolving, checking the local configuration and registry keys for various rights, such as proxy settings, user privileges, accessibility, and other potentially meaningful information. The ransomware also runs a boot, running is done in recovery mode, disabling recovery mode, and many more, various commands is used to delete shadow copies of the files from the system Ransomware also communicates with C2 at this stage to either get the ransomware’s public key negotiated, or to perform recon on the user/system using online IP analytic tools to determine whether or not they are an applicable target (Exabeam, 2016).

Scanning: As soon as the ransomware has set itself up and is fortified to persist even if there is shutdowns and reboots, it gets itself ready to take files hostage. Interest. The ransomware scans and maps the locations containing those files, both locally and on both mapped and unmapped network-accessible systems. Many ransomware variants also look for cloud file storage repositories such as Box, Dropbox, and others; which may also be included. his particular stage is the first real opportunity that security analysts have to stop the ransomware kill chin (Exabeam, 2016)

Below is an illustration of the ransomware scanning process:

The Ransomware Scanning Process (Figure 6) (Exabeam, 2016)

Encryption: files discovered by the ransomware is encrypted, older versions of the ransomware will encrypt the local files only but recently they have started encrypting the back first, To achieve this, they search for the directories or files specifically named in date format (e.g. data20160323.bak) or containing .bak and encrypt these first before encrypting specific files. Since encryption can be detected by anti-virus software, the ransomware typically encrypts important files (such as system files or files with recent access dates) first so that harm is caused as quickly as possible before detection takes place (MANVEER PATYAL, et al., 2017).

Payday: As soon as encryption is completed, a ransom note is generated, shown to the victim, and the hacker waits to collect on the ransom, the ransomware informs the victims of the extent of damage done and ways to recover files. In the case of Cryptolocker, it provides a new installation link in case anti-virus has uninstalled the malware from the system. It also shows users the steps to disable/uninstall anti-virus programs from the system along with all the steps to pay the ransom amount, it may take 2-3 days for the hackers to very payment which is usually in bitcoins and as soon as payment is verified, the hacker delivers the private key. The decryption of the files starts after the private key is received by the victim’s machine and ultimately the files are recovered.

BRIEF DESCRIPTION OF SOME EXISTING RESEARCH BASED SOLUTIONS AND LIMITATIONS

Ransomware locks a victim’s computer until payment is made by the victim to regain access to data. This kinds of attack have been ongoing for some time now. There have been recent high profile attacks on big organisations, company, government agencies etc. This attacks have been of great concern on by stakeholders on how to defend against any ransomware attack.

Kharraz, et al., reported that in 2016 several public and private sectors, including the healthcare industry, were impacted by ransomware. Very recently, WannaCry, one of the successful ransomware attacks, impacted thousands of users around the world by exploiting the EternalBlue vulnerability, encrypting user data, and demanding a bitcoin payment in exchange for unlocking files (Kharraz, et al., 2018).

Over the years, researchers have been proffering solutions on how to tackle the ransomware problem. A research by Manveer Patyal, et al., in 2017 led to the building of a multi-layered architecture to detect and prevent ransomware attacks. Each of the layers works on different phases of ransomware execution. In many of the tools and strategies that have been developed today, been able to monitor the process is an effective technique employed to detect ransomware (MANVEER PATYAL, et al., 2017)

WHAT BEST PRACTICES SHOULD USERS EMPLOY

Symantec report of 2017 recommended best practices that users of computers should employ to avoid falling victim of the deadly ransomware attack, below is the best practices (Symantec, 2017)

a)      Regularly backup any files that is stored on computers or any other devices

b)      Users should always keep security software’s that run on devices including mobile devices up to date, by doing this, the user is able to protect themselves against any new variant of ransomwares.

c)      Users should constantly update operating systems and other software, this will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.

d)      It was also recommended that users delete any emails received that look suspicious especially if they contain links and attachments

e)      Users should be extremely careful of any Microsoft office email attachment that advices you to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.

f)       Do not download apps from sites that is not familiar to you on mobile devices, only download apps from trusted sources, you have to critically look at permissions requested by the apps during installation

g)      Users should constantly use strong and unique passwords and avoid using the same password on different accounts, also enable two-factor authentication if available.

h)      Users who have online bank accounts should sign up for transaction alerts from their bank to enable them get messages if any suspicious are made on the account (Symantec, 2017).

References

Dale, W., 2018. Internet crime; Software; Malware; Hackers; Digital currencies. Londom(London): Dennis Publishing Ltd..

Davey, W., 2018. Malware; Exploitation. London(London): Dennis Publishing Ltd..

Deloitte, 2016. Ransomware Holding Your Data Hostage. Deloitte Threat Intelligence and Analytics, 12 August, pp. 1-23.

Drolet, M., 2018. Malware; Software upgrading; Threats; Network security; Security management;. CSO (Online); Framingham, 10 July.pp. 1-3.

Exabeam, 2016. The Anatomy of a Ransomware Attack, San Mateo: EXABEAM, INC.

Francis, R., 2016. CSO. [Online] Available at: https://www.csoonline.com/article/3095956/data-breach/the-history-of-ransomware.html#slide2[Accessed 31 October 2018].

Halcu, B., 2018. Internet Of Things (Good And Bad). Mondaq Business Briefing, 26 January, p. 1.

Kessem, L., 2016. Ransomware: How consumers and businesses value their data, Somers: Copyright IBM Corporation 2016.

Kharraz, A., Robertson, W. & Kirda, E., 2018. Protecting against Ransomware: A New Line of Research or Restating Classic Ideas?. IEEE Security & Privacy , 16(3), pp. 103 – 107.

MANVEER PATYAL, SAMPALLI, S., QIANG, Y. & MUSFIQ, R., 2017. Multi-layered defense architecture against ransomware. International Journal of Business & Cyber Security (IJBCS) , January, 1(2), pp. 52-64.

Myers, L., 2016. Ransomware: Expert advice on how to keep safe and secure. [Online] Available at: https://www.welivesecurity.com/2016/10/10/ransomware-expert-advice-keep-safe-secure/[Accessed 20 11 2018].

Savage, K., Coogan, P. & Lau, H., 2015. Security Response The Evolution of Ransomware, Mountain View: Symantec Corporation..

Symantec, 2017. Internet Security Threat Report , Mountain View: Symantec.

Symantec, 2018. Internet Security Threat Report, Mountain View: Symantec Corporation.

Reverse Engineering the Behaviour of NotPetya Ransomware

Reverse Engineering the Behaviour of NotPetya Ransomware

warna Pujitha kolli

1

, Dr.K.V.D.Kiran

4

                                      1 M.Tech Student, 2 Professor

                           Department of Computer Science and Engineering

                                Koneru Lakshmaiah Educational Foundation

                                            Vaddeswaram, Guntur District.

   swarna2015pujitha@gmail.com, kiran_cse@kluniversity.in

warna Pujitha kolli

1

, Dr.K.V.D.Kiran

4

                                      1 M.Tech Student, 2 Professor

                           Department of Computer Science and Engineering

                                Koneru Lakshmaiah Educational Foundation

                                            Vaddeswaram, Guntur District.

   swarna2015pujitha@gmail.com, kiran_cse@kluniversity.in

Swarna Pujitha kolli

1

, Dr.K.V.D.Kiran

4

                                      1 M.Tech Student, 2 Professor

                           Department of Computer Science and Engineering

                                Koneru Lakshmaiah Educational Foundation

                                            Vaddeswaram, Guntur District.

   swarna2015pujitha@gmail.com, kiran_cse@kluniversity.in

Swarna Pujitha kolli

1

, Dr.K.V.D.Kiran

4

                                      1 M.Tech Student, 2 Professor

                           Department of Computer Science and Engineering

                                Koneru Lakshmaiah Educational Foundation

                                            Vaddeswaram, Guntur District.

   swarna2015pujitha@gmail.com, kiran_cse@kluniversity.in

Abstract—Recently Ransomware attack had a great impact on several sectors like, Banking & finance, Insurance, Healthcare, utility and energy, Manufacturing, Education, Public and Government sectors etc. One of the prominent type of ransomware that effected several computers across the world, including Ukraine, France, Russia, and England which hit the big time in 2017, however its effect still persists in 2018, and is referred to as NotPetya. This is destructive because it combines regular ransomware behaviour  with stealthy transmission technquies. Notpetya encrypts the files and also master boot loader (MBR) which intercepts the booting process with a ransom note. Eventhough by paying the ransom, the data couldn’t have been recovered from the machine. This paper gives comprehensive technical analysis and reverse engineering of NotPetya ransomware.

Keywords—Ransom, Ransomware, NotPetya, Encryption, Reverse Engineering.

I.     ntroduction

Ransomware is one of the biggest threats in the Digital world. It is a type of malware that encrypts all the files or documents on the PC and it has the capability to spread across the netwok. Victim’s can only get back to their files only if they pay ransom to the attacker. Data from the stastics shows that Public/Private sector is not immune to attack.Most of the attacks are targeting Financial services, Education, IT/Telecoms, Power grids, Oil and gas, Government etc  have been hit as well. All these ransomware attacks are mainly carried by using Trojan that is a malicious code is masked as a legitimate file which comes as an email attachment  where the victim is tricked to open it or download it. Around from 2012, ransomware scams are growing internationally.[3]  The victims who confronts with ransomware between 2016 to 2017 increased by 11.4% when compared with 2015-16. The average ransom is up to $1,000. Adding strength to the effect, about 20% of the victim’s who have paid the ransom demands, never retrived their files back from effect. They disconnected with the network without providing decryption key. About 72% of the infected companies lost there access to data for two to three days which is a great loss to the revenue. [5] In the first six months of 2018 there have been 181.5 million ransomware attacks[4]. According to Kaspersky, for every 40 seconds, a company gets shot by a ransomware.[6]

In the ransomware families one of the devasting type of ransomware is NotPetya which is currently spreading across the world which stood top second in its effect. According to reports it first originated from Russia and Ukraine, but now  reached to U.S, the U.K, Denmark, Poland, Italy, India, Japan, Germany, France. In other words, it’s almost everywhere in the world. The “NotPetya” attacks is similar to the very recent WannaCry ransomware which uses NSA exploit EternalBlue for spreading through network. But in addition to this, NotPetya uses multiple propogation techniques to spread through the computers. It includes Credential stealer to grab passwords and PsExec which use those collected usernames and passwords to gain access to other systems that are connected in that domain in the same network.[7] It is not usual type of ransomware because instead of directly encrypting the victim’s files, it encrypts the MFT(Master File Table) which holds the information related to the file names, size and location on the physical drive. Prior encrypting MFT, it replaces MBR(Master Boor Record), which stores the code that intiates the OS bootloader and replaces it with malicious code that displays the ransom note with instructions. So it stops the system from booting and displays the ransom note whenever the system is started.[8]

So, to analyze the functionality of malware we need to reverse engineer it. Reverse Engineering is a challenging task for the malware analyst. Reverse Engineering invovles mainly two important techniques for analysis of malware they are static and dynamic analysis. Static analysis is done without running the the malware, so it is much safer than dynamic analysis. Whereas in dynamic analysis the malware is executed in sepereate/isolated environment to examine its behaviour[9]. Most of the literatures are based on static analysis or dynamic analysis. Whereas my work will collectively represents static, dynamic and characterstics of NotPetya malware. This paper will cover in-depth technical analysis of NotPetya, which is structured as follows: Sec. 2 describes how NotPetya spreads. In Sec. 3 Flow of the malware execution in secured environment. In Sec. 4 reports static and dynamic analysis results done with malware. Sec. 5 Summarises the related work. Sec. 6 Concludes.

II.    Related work

NotPetya malware combines ransomware  functionality with an ability to propogate itself in network. This is intially identified on the systems running a  document management software that is M.E.Doc. This software is mostly used for tax and payroll accounting. Based on analysing the M.E.Doc software, and from reports by anti-virus companies, it was first deployed as a software update. And it started distrubuting though network slowly. It combines traditional ransomware with propogating through network functionality[10].

The system infected with NotPetya has three methods of spreading as discussed in the flowchart,

1.Remote exploit (EternalBlue, EternalRomance) for

MS17-010.

2. Windows Management Instrumentation(WMI).

3. The psexec tool.

Flow of NotPetya ransomware

It spreads to Windows Operating Sytem through several methods. One of the prominent way is SMB service exploit (EternalBlue) which is previously exploited by WannaCry. It is the same vulnerability reported by Microsoft as MS17-010. It also uses Mimikatz, a technique to collect the credentials from the windows lsass (Local Security Authority Subsystem Service). The collected credentials are used to make an attempt to compromise other systems by using Microsoft tools, PsExec and Windows Management Instrumentation (WMI). Not Petya malware uses MS17-010 vulnerability to infect the unpatched systems. It uses PsExec and WMI tools to exploit the patched systems by extracting credentials from infected system’s lsass process to gain access to systems [10][11].

Then it overwrites the MFT table and replaces the MBR with hostile code which prevents system from booting and displays the ransom demanding note. The encryption algorithms used by this ransomware are 128-bit AES in CBC mode and 2048-bit RSA  to encrypt files. The ransom note demands $300 USD for each infected machine, and established Bitcoin workflow with the email address( wowsmith123456@posteo.net ). According to research reports, there are no such evidences of providing decryption keys by the attackers for recovering files after payment.

So to analyze the actual infection that is caused by the malware, Reverse Engineering is prefered. As discussed there are two methods for analysing a malware. They are static and dynamic analysis which are once again divided into two sub parts.

Static Analysis

1.1.1           Basic Static Analysis

It will help to make sure that the file is malicious or not. It is mainly used to know the functionality of the malware because it is a process of investigating the executable file without viewing the actual code. It is a straightforward process and very quick, but it is mostly uneffective against sophisticated malware.

1.1.2           Advanced Static Analysis

Advanced static analysis, is looking at the program’s instructions to know the fuctionality of malware by loading the PE file into a disassembler. Disassembler will tell exactly what the program does by executing the instructions through CPU. It is a deeper learning process than basic static analysis and requires knowledge to understand the assembly-level code and also windows OS concepts.

1.2    Dynamic Analysis

1.2.1           Basic Dynamic Analysis

It involves running the malware on the system and noticing its behaviour in order to remove the infection. But to run the malware a separate environment must be setted up that will decrease the risk of damage to system and also to network. Like Basic Static analysis, it can be performed without having deep programming knowledge. But through this approach they may miss the important functionality.

1.2.2           Advanced Dynamic Analysis

It involves running the malware using debugger to examine the internal state of the executable. This technique provides an appropriate way to know the behaviour of malware functionality. This technique will be most useful to obtain information that is difficult to gather from other techniques.

III.   Malware Analysis

      027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745————Main DLL

      02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f————-   (embedded 64-bit credential dumper)

      eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998—————- (embedded 32-bit credential dumper)

      f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5——————- embedded psexec.exe (not harmful).

The above are the hash values of the analyzed samples. First one is the Main dll which contains the code of the EternalBlue and EternalRomance exploit. Second and third is the 32-bit and 64-bit embedded credential dumper similar to Mimikatz. The last one is the Sysinternals PsExec.exe file which is used to gain remote access to other systems for spreading the infection. Further technical analysis is done in the below sections accordingly.

 

Basic Static Analysis

The sample that is used for basic static analysis is 32-bit DLL with an unnamed export as in Fig 1. It is not packed, as shown in fig 2. As shown in fig 3, the resource section contains four obfuscated binaries. In those binaries, one is PsExec utility, two are 32-bit and 64-bit credential harvesters and the fourth one is a component of exploit (Eternal Blue).

Figure 1

Figure 2     

                      

Figure 3

In this work, I have developed a tool named Basic Static analysis Report, which gives the information in the file. It displays the details like MD5, SHA1, PE file entropy, list of sections in the PE file, windows functions that are used by malware. Tool has the capability to show entropy of a given sample. It may detect the type of malware family according to the given yara rules. It also generates results according to the malware behavior as shown in Fig 4.

Figure 4

Basic Dynamic Analysis

In this analysis, the sample is executed in a safe or isolated environment. The file that is dropped by the malware is as follows:

Whenever the sample gets installed, it will check whether the main dll is present in “C:Windows” directory. This technique is commonly used to thwart the analysis efforts.

C:WindowsSystem32 undll32 perfc.dat,  #1

So, through Process Monitor we can check the processes that are created by the malware, shown in Fig 5. A temp file named 3FC0.tmp is created in the %temp% folder which is 32-bit or 64-bit credential harvester. It drops the file C:Windowsdllhost.dat, a copy of the PsExec, which allows execution of process remotely. And also copies itself in to the memory and free the original one, removing the lock of the file on the disk.

Figure 5

As shown in Fig 6, the files that are created by the malware after execution are dllhost.dat and also perfc.

Figure 6

As shown in Fig 7, the result obtained by regshot helps to view the changes in the registry values after running the malware. It lists the number of modified keys, newly added keys and the total number of changes done in the registry.

Figure 7

Advanced Static Analysis

Here, we need to disassemble the code of malware to know its functionality. As shown in the Fig 8, it is the main Eternal Blue exploit code i.e., core_MS17_010. If the exploit condition exits, the actual code is called in order to send the shell code to infected system.

Figure 8

It clearly shows that the exploitation starts from core_MS17_010 (sub_10005A7E), sets-up a connection to the vulnerable systems. After other infections fails, it then calls sub_10003CA0 which is responsible for decrypting and delivering payloads to systems affected. The constructions of payload is closed by decrypting and adding two sections of packed resource section as shown in fig 9.

Figure 9

In the Fig 10, we can see how the packet is delivered through the open socket.

Figure 10

 

Advanced Dynamic Analysis

In this we use OllyDBg to debug the malware for knowing its internal functionality. For patched systems to spread the malware, a copy of windows sysinternals PsExec tool  is written to %WinDir%dllhost.dat. It uses the tool for gaining access to remote system to run malware on it with the following command.

            psexec -accepteula -s -d c:windowssystem32 undll32.exe “C:Windows”, #1

 

Figure 11

If the connection is successful, it checks whether the system is already infected or not. If it is not infected, it uses PsExec and WMIC to spread the infection which is shown as follows:

            C:windowssystem32wbemwmic.exe /node:”” /user:”” /password:”” process call create “C:WindowsSystem32 undll32.exe “C:Windows”, #1

Figure 12

NotPetya engages the following method to reboot the system so that MFT encryptor code loads in the boot loader and displays the ransom note.

It schedules shutdown through cmd with the following command as shown in Fig 13.

            /c schtasks /Create/SC once /TN “” /TR “C:Windowssystem32shutdown.exe /r /f” /ST

/r → reboot after shutdown

/f → forces running applications to close

Figure 13

                     Scheduled shutdown in system  

At last, after encrypting MBR and replacing MFT, it restarts at a particular time scheduled by malware and displays the message shown in the Fig 14.

Figure 14

References

[1]      DAN DAHLBERG “ransomware cyber attacks ” blog on Bitsight

[2]      Online “Ransomware” wikipedia

[3]      Online  “New Internet Scam” news on FBI 2012

[4]      “sonicwall cyber threat report” article on helpnet security 2018

[5]      Phillip Long “5 Ransomware Statistics Every Business Owner Needs to Know” blog on BIS

[6]      “Attacks on Business Now Equal One Every 40 Seconds” press release on kaspersky lab 2016

[7]      Online “Petya” wikipedia

[8]      Lucian Constantin “Petya ransomware is now double the trouble” article on network world

[9]      Syarif Yusirwan S, Yudi Prayudi, Imam Riadi “Implementation of Malware Analysis using Static and

[10]   Dynamic Analysis Method” International Journal of Computer Applications (0975 – 8887)Volume 117 – No. 6,  2015

[11]   Falcon Intelligence Team “fast spreading petrwrap ransomware attack combines eternalblue exploit credential stealing” blog on CrowdStrike “malware analysis basics static analysis” InfoSec Resources

Detecting of Ransomware using Software Defined Networking

Abstract
Ransomware is a major weapon for cyber-extortion. The traditional signature-based detection no longer holds good against modern, sophisticated malware that employs encryption techniques and social engineering. This paper investigates the use of Software Defined Networks (SDN) to detect the illicit communication between infected PCs (ransomware) and their controller known as the Command & Control (C&C) server. SDN provides unique opportunities to detect malicious DNS requests (associated with malware) and where possible block ransomware controls requests, and thereby prevent ransomware triggering. In this article we mostly look at detection at commercial or business scenarios, where the data handled are much more sensitive and might lead to monetary loss.
Index Terms– Ransomware, cyber-extortion, Signature-based detection, Software defined Networking.
Cyber-Extortion malware can be trace back to three decades earlier [1]. It all started with the malware named PC CYBORG which was delivered through floppy disk. The reports of modern malware known as ransomware were started in early 2005. Since then ransomware has developed into more sophisticated method of attack to extort money from people as well as the companies. Ransomware can make a huge impact on businesses, especially if it strikes mission-critical systems. The attacker forces the companies to pay-out money in the form of bitcoins which can be anonymous and not so easily traceable. If refuse to pay, they threaten to destroy the data. This is a profitable business model to cyber criminals as the companies and people tend to pay out to retrieve the data [2].

Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Essay Writing Service

It is estimated that the pay-outs to ransomware is close to $1 billion an year as per IBM for 2016[3]. This is just known pay-outs and it crosses more than $1 bn if all the pay-outs are considered. The anonymity of the attacker and necessity of the victim makes it one of the popular attacks to extort money, especially from major tech companies and targeted businessmen. The ransomware is not specific to a single OS platform. From past few years, the ransomware have been developed for different platforms like linux, Mac OS and popular one emerging now a days is for android.
In general, the working of modern ransomware is as follows. First, a user machine is infected using various attack vectors for example, clicking on malvertisement, downloads from non-trusted sites, phising, spam, etc. Second, the victim’s system or the stored data is encrypted (locked), based on the type of ransomware. The modern versions of the ransomware can encrypt storage drives such as cloud storage, Dropbox, and shared network devices. As a result, multiple systems on the network can get compromised, by a single infection. Figure 1 shows the general working of the symmetric and asymmetric crypto ransomware.

Fig. 1. (left )Symmetric and (right) asymmetric crypto ransomware
As the ransomware evolves, some well know malwares have come into business, such as CryptoLocker, CryptoWall, TeslaCrypt and Locky have been widely used and updated.
Detecting these ransomware before the payload activates and start encrypting is very difficult [4]. Figure 2. Shows that only half of anti-virus scanners provide protection for this new malware, even after several days of a new attack being circulated.

Fig. 2. Time to detect new malware by antivirus vendors.
Recent study shows that the ransomware is becoming successful as the prices are tailored as per company’s or country’s ability to pay [5]. If the ransom isn’t paid within the expiry of the ransom note, the ransom usually doubles. This instils fear of losing the files or pay higher. This let company or the person feel it is easier and less expensive to pay the ransom and get back the files rather than reporting it and trying to find a solution for it. This makes it important to come up with mitigation techniques to stop this from continuing and
The ransomware developers are constantly improving their product which makes it hard for developing long lasting countermeasures. With large number of devices that are getting connected on the internet like the Internet of things, the ransomware is being developed to multiple devices.
Most common method of detection of ransomware, infact any malware, is signature based detection. Hence most of the experts suggest keeping the antivirus scanners up to date [6]. But as we have seen from the earlier that not many vendors give out updates that regular. Also with the use of encryption techniques and social engineering, it easily evades the defence in firewall and email spam filters. Hence the detection of entry of ransomware into the system or the network is becoming much more difficult.
One more commonly used method of detection is by identifying the extensions. For example, many use extensions like .locky, etc. But this can be masked by encryption techniques.
Microsoft advices the best way to tackle ransomware is by having a tested reliable backup to escape the damages of the ransomware [7]. Although this is one of the best methods, creating and maintaining backups for huge organizations can be really expensive and time consuming.
Now let us take a look at few of the current implementations to detect ransomware in commercial or business network as they are the major victims because of the data they hold. Majorly used method is implementing products which use User Behaviour Analytics (like Varonics or DatAdvantage). This works on the baseline of normal activity and if there is any other abnormal activity, an alert would be sent to the administrator. The major disadvantage with this is any other legitimate activity which is not mentioned under normal behaviour was reported which led to receiving of lot of false positives about the activity.
Other method used was to detect malicious activity by monitoring changes in File Server resource manager (FSRM), function built into Windows Servers. By using canaries, writing unauthorised files can be blocked. This helped in developing PowerShell to block unauthorised user access.
Most of the currently used techniques work fairly well with the symmetric crypto ransomware. They tend to be less efficient with the asymmetric crypto ransomware. In this article we look at one of the basic approach that can be taken to mitigate ransomware with the use of Software Defined Networking (SDN). This method is mostly useful in companies or a small network with a system administrator to monitor the network traffic.
Proposed method is based on findings after analysing CryptoWall ransomware [8]. But this can be applied to other types of crypto-ransomware, such as Locky TeslaCrypt, etc, which communicates with the Command & Control (C&C) servers. The primary intension with this proposed method is to cut-off the connection between the victim and the C&C systems. Without connection to C&C the encryption process is not going to be initiated and thus saving the victim’s system.
With the use of Intrusion detection/Prevention systems(IDPS) or firewalls that are commonly used to filter and detect malicious data, it is very hard to give timely response to such threats as there is lot of data that it encounters because of the number of devices that is connected onto the internet now a days.
In this article we take a look at two SDN-based mitigation concepts. We can call them SDN1 and SDN2. Both of them rely on dynamic blacklisting of proxy servers used for connecting to the C&C server. However for this method to be efficient, it is necessary to have up to date list of all the malicious proxy servers that are previously identified.

Find Out How UKEssays.com Can Help You!
Our academic experts are ready and waiting to assist with any writing project you may have. From simple essay plans, through to full dissertations, you can guarantee we have a service perfectly matched to your needs.
View our services

In this method of mitigation system, it is necessary to develop a SDN application to cooperate with the SDN controller. The controlled provides all the data necessary for analysis. After the detection of threat, the network can be configured to block all the malicious activity and capture suspicious traffic for investigation. This will also help in recovering symmetric key if the ransomware uses symmetric encryption based ransomware.
The functionality of the SDN1 is a simple switch. The switch forces all the DNS traffic to be forwarded to SDN controller for inspection. All the responses are compared and evaluated with the database that contains the list of malicious proxy servers. If the domain name extracted from the DNS is present in the database, the response is discarded or blocked to not let it reach the proxy server. This eliminates the process of encryption on the victim’s system. An alert is sent to the system administrator about this issue for further investigation.
The potential drawback of SDN1 is time taken. The DNS traffic from both legitimate and malicious hosts is delayed as each response is checked with the blacked listed domain database. The SDN2 enhances the performance of SDN1 while addressing this issue. As most of the DNS responses received is legitimate, the SDN2 introduces custom flow. This forwards all the DNS response to intended recipient and only the copy of the response is sent to the SDN controller. While the DNS responses are processed, the controller compares the domains with the ones available on the database. If a blacklisted server is found, the victim IP is extracted and all the traffic between the C&C server and the victim IP is dropped and an alert is sent to the system administrator.
The pictorial representation of both SDN1 and SDN2 are shown in Figure 3.

Fig. 3. SDN-based applications, SDN1 and SDN2. Example testbed of the SDN network
Major advantages of using SDN based detection techniques is that it can be used to detect both symmetric as well as asymmetric ransomware. As mentioned earlier without the connection between victim and C&C server, the infected host will be able to retrieve the public key and hence will not be able to start the encryption process.
As we have seen earlier, this method requires a database that contains all the currently known and used malicious proxy servers. This is the major disadvantage of this method. Currently the developers of this method have a database of about 70,000 malicious domains. But this won’t be sufficient as the attackers will be looking for new domains to evade detection. Also methods have to be checked frequently and loopholes need to be fixed as the attackers would seek to exploit any loopholes if found.
There are researches that are taking place to detect the ransomware using honeypot techniques. The SDN can be included into the honeypots to further enhance the effectiveness of the detection. Alongside with the SDN, the companies will have to develop an Incident Response team [6]. This team should make plans to tackle the issues according to the importance of the systems and also be given training to be equipped with the necessary steps to take in case of an attack which slipped from the SDN controlled.
In case of an attack, steps should be taken to contain the ransomware just to the affected system and it doesn’t spread to any other system on the network.
It is also important to take a backup of the entire necessary and sensitive files in a secure and tested location. This help in restoring the work quickly in case of unseen attack on a critical system.
Also one of the most important developments in ransomware is that now it is not just delivered as a Trojan, it is being developed in a way that it can replicate its code onto the removable devices and network drives.
This makes it important to educate and train the employees and the staff about the dangers of ransomware and methods that it can be brought in to the network like the spam emails and social engineering [9]. Also companies should discourage the policy of bring your own device (BYOD). Staff a being more alert about the malware makes is very difficult to launch any attack.
As we are looking to develop methods to detect and prevent ransomware, new type of ransomware is emerging that threatens to release all the data online, instead of destroying them, if not paid before the ransom note expires. This is makes it more necessary to develop more sophisticated methods of detection to prevent ransomware attacks.
Also as this is an SDN based security application, further research can be undertaken to broaden the spectrum of detection and prevention of other types of malware and attacks like DDoS attacks
To efficiently fight ransomware, it is important to break the business model of the ransomware developers. With the reduced income to the ransomware developers, they will have to shut down the proxy servers which in turn help in faster detection of newer developers.
The best protection is to prevent infection. This may be tough to achieve and hence in this article we have taken a look at 2 types of SDN based security application that can be implemented to improve protection against ransomware. These rely on up to date database of malicious proxy servers which needs to be updated constantly but once detected, the application works efficiently.
We have also discussed that it is achievable to break the connection between the victim and the C&C server, with the help of SDN application, to make the encryption impossible.
Furthermore, we have seen that it is necessary for the companies to actively invest time and money in training people to develop a sense of security at the workplace to reduce the attacks.
We have also discussed that this SDN based application need not be limited to detecting ransomware. This can be further developed to detect and prevent other malware, detect attacks based on the network traffic characteristics or detecting malware based on pattern.
References

N. Hampton and Z. A. Baig, “Ransomware: Emergence of the cyber-extortion menace,” in Australian Information Security Management, Perth, 2015.
Chris Moore,”Detecting Ransomware with Honeypot techniques”, 2016 Cybersecurity and Cyberforensics Conference.
“Ransomware becomes most popular form of attack as payouts approach $1bn a year”, Networksecuritynewsletter.com , January 2017.
Cisco, “Cisco 2015 Midyear Security Report,” Cisco, San Jose, 2015.
Cath Everett,”Ransomware: to pay or not to pay?” Computer Fraud and security, April 2016.
Ross Brewer, LogRhythm, “Ransomware attacks:detection, prevention and cure”.
D. Mauser and K. Cenerelli, “Microsoft Protection Center: Security Tips to Protect Against Ransomware,” 6 April 2016.
Krzysztof Cabaj and Wojciech Mazurczyk, “Using Software-Defined Networking for Ransomware Mitigation: The Case of CryptoWall”, NETWORK FORENSICS AND SURVEILLANCE FOR EMERGING NETWORKS.
Marc Sollars,”Risk-based security: staff can play the defining role in securing assets”, Networksecuritynewsletter.com