Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Ransomware identification for the judicious analyst 06/12/2019
#1
Information 
Quote:
[Image: G_DATA_Blog_RansomwareClass_Header.jpg]

When facing a ransomware infection, it helps to be familiar with some tools as well as key points to identify ransomware correctly.

Most ransomware is fire-and-forget malware. The majority of ransomware families do not remain on the system after they have done their deed, and delete the malicious binaries. The system's owner is left with encrypted data and the ransom message. Web services for ransomware identification like id-ransomware might not be an option if customer data is of a confidential nature. Even though the files are encrypted, they can contain information about the customer's system or might be recoverable by third parties.

Identification vs detection

Malware detection is a simple yes- or no-answer to the question: Is this file malicious?
Or in case of ransomware detection: Is this file ransomware? Identification on the other hand will provide an aswer to the question: Which malware or ransomware family is this?

For antivirus software it is usually enough to detect malware in order to prevent infections. But as soon as there was an infection, identification helps to determine the next steps for cleaning the system, reversing the damage (if possible) and preventing infections that use the same infection vector.

Once the ransomware family is identified, you are able to answer the following questions:

* Does the ransomware encrypt data (files or HDD)?
* Is the encrypted data decryptable for free (by third-party decrypters)?
* Are the threat actors able to decrypt the files after payment?
* If the data cannot be decrypted, can it be recovered by other means like file recovery software?
* How did the ransomware get onto the system and how can we prevent this from happening again?
* Does the ransomware typically arrive in combination with other malware that may have done additional damage (like stealing credentials)?

Types of ransomware

The first interesting question to answer is what type of ransomware attacked the system. Most commonly people associate file encrypters with the term ransomware but there are more ways for malware to hold something for ransom. Ransomware is every malware that prevents access to the whole system, part of the system or data, or pretends to do so, and asks for some kind of payment from the system's user to revert the changes.

1. File encrypter

The file encrypter typically searches for files on the system based on their file extensions, encrypts each file one by one and renames it, e.g., by adding an extension.
The file encrypter will often use persistence mechanisms for the duration of the encryption process. In case the user turns off the system midst of encrypting, the file encrypter will continue the process after restart.

Some file encrypters use password protected archives to encrypt and store files, e.g., CryptoHost.

2. Disk encrypter

This kind of ransomware will usually infect the master boot record, thus rendering the operating system unbootable. In addition they encrypt the data on disk or the master file table. There aren't many families out there that do this. Some known ones are Petya, Mamba (aka HDDCryptor) and some very old ones from the DOS era like the AIDS virus. Since there are only a few of them, identification should be comparably easy.

3. Wiper

Sometimes ransomware developers create bugs in the encrypting portion or key storing functions that make it impossible for them or anyone else to decrypt the data. They may damage data instead of encrypting it or make the retrieval of the key(s) impossible, e.g., Ordinypt.
Creating a wiper that poses as file or disc encrypter may also be done on purpose if the actual goal is to damage a business and threat actors want to hide their intent. Some believe Petna aka NonPetya to be one of those wipers.

Identifying this type of ransomware is of particular interest, since paying the ransom in these cases (should this option be considered viable) would be pointless as there are no files to decrypt or recover..

4. Fake encrypter

The fake encrypter will pretend to encrypt files without actually doing it. One common way is to just rename files, e.g. by adding ransomware-typical extensions to them, so that users are fooled into believing that their files are encrypted. As Windows decides based on file extensions which program it uses to open a file, changing the extension will make it seem like the files are "not working anymore". Restoring the file extension will also restore the functionality of the file. Others, like RansomPrank, just tell the user that the files were encrypted, without doing anything to the files.

Ransomware simulators, which are used to demonstrate an infection and to train staff, mostly fall into this category but those shouldn't actually infect systems in the wild.

5. Screenlocker

Screenlockers are often overlooked in discussions about ransomware. They seem less dangerous, less interesting, and less damaging. From a technical standpoint they are indeed less damaging because the locking mechanism can be reversed whereas decryption of data or recovery of wiped data is not always possible. For non tech-savvy users, however, screenlockers still pose a substantial threat. This is especially evident and tragic in those cases where people committed suicide due to a screenlocker infection (e.g., case1, case2).

Very common is the screenlocker combined with tech support scam, where the screenlocker may look like a fake blue screen and show a tech support number that is supposedly from Microsoft. The scammers who pose as Microsoft technicians will then proceed to show the user that their system is damaged and ask for payment in order to repair it (as demonstrated in this example).

Some ransomware families are screenlocker and file encrypter hybrids, that means they lock the screen and also encrypt files on the system. If they are pure screenlockers, it is usually all you need to know to reverse the damage.
Continue Reading
[-] The following 3 users say Thank You to harlan4096 for this post:
  • jasonX, Mohammad.Poorya, silversurfer
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>