Loading...
You are here:  Home  >  Let’s Have An Honest Discussion About Ransomware

Let’s Have An Honest Discussion About Ransomware

Part One

Can you admire a disease? The most common answer would be "of course not". Malware is a disease that affects the computer, a cyber disease can be viewed differently than an organic disease. A strain of virus may attack the body of a living entity slowly crippling it until that entity expires. As malware is software, we look at the disease from a different perspective, some malware is beautiful – its method is fluid, the encryption is masterful and like most things you can tell the writer put a lot of work into it. What do we consider "masterful" malware? It's simple, if the disease sits in the computer and exhibits no visible symptoms then that is not only beautiful but strategic. Your data is valuable, when a bad entity establishes persistence on your network if he/she is effective they do not want to be found. The offending process that is doing the work of the disease should have a low footprint and not consume resources. Which now brings us to ransomware.

 

Ransomware is exactly as it sounds, your data is encrypted and held hostage until you pay an amount, usually in bitcoin to an anonymous miscreant who claims they have the key to unlock your files. For the most part all files are encrypted except core files needed for the operating system to continue, your Word, PDF, XLS, and pretty much anything you created is locked away. Most ransomware will have the accompanying note that at this point seems like a tired template that is used by everyone and their dysfunctional colleague as noted below:

 

I)     Petya

 

Petya

II)     samsam

samsam

III)     cerber

cerber

IV)     Locky

locky

All these notices are similar in nature. Your files have been encrypted, there is a url given to the poor soul which explains the type of encryption used (supposedly), and one receives an introduction to Bitcoin with information on installing the Tor browser so once can pay the ransom. These are the basic parts of a typical ransomware setup.

 

There is no elegance to be found in ransomware, there is no clever strain that transmits your files only to leave you with the encrypted copy (need to put some work in with those exploit kits – we will be talking about one in Part II). The obfuscation is for the most part sub-par, simply because ransomware is easy to develop, and poorly developed ransomware is still damning in its destruction. Standard cryptographic libraries that use RSA (Rivest-Shamir-Adleman) and AES (Advanced Encryption Standard) are commonplace and easy to implement.

 

The enterprising individual looking to learn about ransomware can even find github repositories that will help you learn how to create your own.

https://github.com/mauri870/ransomware

There is even a step by step on how it works

While some may view this as vile, I applaud it because it is important to not only educate people but to understand how these things work. Knowledge is power and it is those who have kept it to themselves that have helped create the sorry state of cybersecurity today.

 

Why though do people constantly click on attachments that set this kill chain in motion? With all the research that has been done, why do companies not set up alerts for common indicators where you look for the obvious before the infection has taken hold? These two questions have been on mind lately because ransomware is still seemingly a problem that companies, and municipalities are having issues dealing with. The two foremost examples that come to mind is the fiasco that occurred in Atlanta and Baltimore. Both infections bought the system to a halt, in the case of Baltimore the municipality attempted to lay blame on the NSA, but who clicked on what?

 

One does not need to understand how to code, one does not need to understand systems – there is a basic tenet of common sense that dictates that if an attachment seems odd to you that you should most surely not open it. Yet this, the most common tenet in common sense people do not adhere to. Opening that Word document because you think that the Human Resources director sent you something even though you barely speak to each other and she usually calls you into her office is not only foolish but shows that you are horribly lonely and need to get out more. It makes no sense, people should read before clicking on something that they do not know or have never seen. Your only excuse to this type of foolishness is that the attachment is so familiar to you and comes from an email that you are certain of. If this is the case, then miscreant who has fooled you should be congratulated for putting in an incredible amount of effort into fooling you because such a feat is not easy and requires a lot of work.

I give you:

 

MD5 -   CCFE100D512A511F892D43E72FA47875

or

sodinokibi

or

The Scourge of the Weblogic Server

or

CVE-2019-2725

or

I AM SO SCREWED I AM BLAMING THE JANITOR

 

hiding as the file name 계좌개설시 제출서류.hwp.exe

 

Like most ransomware it encrypts data in the user’s directory and deletes shadow copy backups to make recovery far more difficult. This ransomware just like samsam and other strains share some common features. Whether it be a rogue attachment or drive-by on a website, a malicious binary is going to launch. In this case the binary is patient zero and we track from there. For sodinokibi it is the binary referenced above.

When the binary launches it does some very interesting things:

sodinokibi
volume shadow services

As mentioned above our patient zero is the above-mentioned binary – full path is:

 

"C:\Users\admin\Desktop\계좌개설시 제출서류.hwp.exe"

 

This binary spawns a command shell. This should be an indicator – why would an application on the desktop be launching a command shell. Unless you are the administrator this should not be happening. There should be no leeway here, users should not be running a headless cmd.exe unless it’s a process you put there and know about it. Anything beyond that is unacceptable. You should have an alert in your system making sure that if cmd.exe spawns that you the security operator know about it. If you don’t – your lazy.

 

The cmd process that launched as all cmd processes goes to work by running new processes.

 

PID 968

CMD "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

Path C:\Windows\System32\cmd.exe

Parent process 계좌개설시 제출서류.hwp.exe

User SYSTEM

Integrity Level SYSTEM

Exit code 0

The processes that are launching from the command line are startling if not downright frightening. The attacker is not dropping anything from a command server, he/she is running actual commands that are native to the operating system. The malicious program first launches vssadmin and deletes all shadow backups surreptitiously:

 

PID 2308

CMD vssadmin.exe Delete Shadows /All /Quiet

Path C:\Windows\system32\vssadmin.exe

Parent process cmd.exe

User SYSTEM

Integrity Level SYSTEM

Exit code 0

 

We see also bcdedit which is a command-line tool used for managing Boot Configuration Data on the windows operating system. This command is powerful because in controlling boot options you enable persistence and a whole slew of other nefarious activities one can commit to. In this case the ransomware runs the process twice:

 

PID 3380

CMD bcdedit /set {default} recoveryenabled No

Path C:\Windows\system32\bcdedit.exe

Parent process cmd.exe

User SYSTEM

Integrity Level SYSTEM

Exit code 0

 

This command stops Windows from executing the automatic repair feature which tries to fix booting related issues automatically.

 

PID 2964

CMD bcdedit /set {default} bootstatuspolicy ignoreallfailures

Path C:\Windows\system32\bcdedit.exe

Parent process cmd.exe

User SYSTEM

Integrity Level SYSTEM

Exit code 0

 

This command disables the recovery screen that comes up on Windows due to shutdown failures

At this point as the security operator you have a horrible problem on your hands. Make haste and run to that machine and take it off-line immediately. There can be a debate on who allowed the processes to run later but you still have time to neutralize the infection because this is how ransomware works. You will see native windows processes delete your shadow copies and then establish some level of persistence. No user should be running vssadmin. At this moment your racing against the clock because the next thing you are going to see in the logs is enumeration. This is when the rogue process begins seeking permissions and starts listing all your files. Before this the rogue process is also accessing the cryptographic libraries of the operating system. Its going to rename your files and then lock you out.

 

Alerts and permissions are important. For most ransomware looking out for vssadmin is one of your best defenses and you should have your alerts setup to inform you of such. More importantly no user whatsoever should be running system level processes unless you are aware of them. Furthermore, if the files on a hard drive are being enumerated, you should know about it. To ignore these things is inviting disaster. Anytime a system level process is running you should know about it. This is the key in detecting the majority of ransomware out there.

 

So why do so many people get successfully attacked. As we have said in the past, cybersecurity is in a sorry state. The profession has become monetized on certifications with no real-world application of experience save for simulations which is not real-world application. This has contributed to a culture of “certifications”, “background checks”, and stringent review that focuses less on the actual hack and more on corporate structure. People are lazy and complacent, the problem is corporate America is never going admit it, as it is not in their DNA to think outside of the box.

 

Knowledge is your weapon.