Most Ransomware Isn't as Complex as You Might Think

Presented at Black Hat USA 2015, Aug. 6, 2015, 5 p.m. (25 minutes).

In this presentation, hear the findings of new academic research into ransomware in which we analyzed more than 1,300 samples captured in the wild from 2006 and 2014 from 15 malware families - including Calelk, Cryptolocker, CryptoWall, Gpcode, Filecoder, Kevtor, Reveton, Seftad, Urausy and Winlock. Our results indicate that (while ransomware authors have made some advancements in encryption, deletion and communication techniques over those eight years) the real impact on victims who don't pay is typically still both nondestructive and preventable. Even the very small set of truly destructive zero-day ransomware samples with sophisticated encryption capabilities we identified can be detected and stopped.

First, learn how ransomware appears to have changed - and stayed the same - from 2006 and 2014, including constants, commonalities and advancements across 15 ransomware families in that timeframe. For example, we verified the widely held belief that ransomware attacks have been increasing in volume in recent years. In fact, they grew by more than 500% from 2012-13. However, the majority have not been sufficiently increasing in sophistication in that timeframe to truly take victims data or hardware hostage. Discover previously undocumented aspects of ransomware attacks with a focus on distinctive and common behaviors among different families.

Second, see a comparison of the threatened impacts vs. the real impacts of the studied ransomware, demonstrating that the vast majority is essentially bluffing its own destructive capabilities in order to extract funds from the victim who is afraid of losing personal and/or valuable data or equipment. More than 94% of ransomware in our multi-year study simply attempted to lock the victims desktop and demand ransom, or used very similar and superficial approaches to encrypt or delete the victims files.

Third, delve into the inner workings of rare destructive ransomware to ascertain key attributes in the code and execution of its instructions that make it both effective and detectible. Hear about the API calls, file system activity and decoy files that consistently surface from different malware families in the wild. Take a look at the various charging methods adopted by different ransomware families including Bitcoin, Moneypak, Paysafecar and Ukash cards. More than 88% of ransomware samples used prepaid online payment systems.

Finally, understand why detecting and stopping advanced ransomware attacks is not as difficult as others have reported. In fact, by scanning for unusual behavior in file system activities, such as I/O requests you can detect even relatively sophisticated ransomware. By protecting the Master File Table (MFT) in the New Technology File System (NTFS) file system on Windows machines, you can prevent most zero-day ransomware attacks. These findings contradict some security community discussions that suggest the impossibility of detecting or stopping these types of attacks due to the use of sophisticated, destructive techniques.


Presenters:

  • Engin Kirda - Lastline, Inc.
    Dr. Engin Kirda is chief architect at global breach protection provider Lastline - which he co-founded in 2011 - as well as a computer science professor at Northeastern University in Boston. He has co-authored more than 100 published research papers. Before Northeastern, he held faculty positions at Institut Eurecom in the French Riviera and the Technical University of Vienna where he co-founded the Secure Systems Lab that is now distributed across multiple institutions in Europe and the U.S. Engin's recent research has focused on malware analysis and detection, web application security and practical aspects of social networking security - including the de-anonymization of social network users. He has served on program committees of numerous well-known international conferences and workshops. In the past, Engin has consulted the European Commission on emerging threats, and recently gave a Congressional Briefing in Washington D.C. on advanced malware attacks and cyber-security. He also spoke at SXSW Interactive 2015 about "Malware in the Wild."

Links:

Similar Presentations: