Dead and buried in their crypts: defeating modern ransomware

Presented at VB2015, Oct. 2, 2015, 2 p.m. (30 minutes).

CryptoLocker, CryptoWall, CTB Locker, etc. are well-known families of modern ransomware which use strong encryption algorithms with large asymmetric keys to encrypt target files, rendering them nigh on impossible to decrypt locally since the private keys are controlled by the malware syndicates. Therefore data recovery post a ransomware infection is a huge challenge. It is imperative to arrest the ransomware as early as possible before encryption takes place. Complex obfuscation and anti-emulation techniques used on the ransomware droppers ensure that static blocking in real time is difficult. However, low-level system-wide interception of designated events by security software allows close monitoring of the behaviour of untrusted executable code, which currently includes ransomware components, thus making contextual dynamic blocking a high-percentage option. Based on the runtime behaviour of several pieces of modern ransomware, this paper describes in detail the various stages at which ransomware processes can reliably be terminated, mitigating against false positives and performance degradation. We explore in depth the blocking of suspicious events such as data-overwrite attempts at both file system and disk levels, behaviour anomalies of OS processes, incongruous calls to cryptographic functions whether OS crypto APIs or statically linked OpenSSL library code (de-obfuscated in memory), etc. It may even be possible to adopt and adapt certain strategies to arrest ransomware for mobile platforms. We shall show a PoC demonstrating a novel anti-ransomware solution for *Windows*, optimally combining various strategies to generically detect and prevent attempts to encrypt target file types on disk.

Presenters:

  • Samir Mody - K7 Computing
    Samir Mody Samir Mody graduated from the University of Oxford in 2000 with a Master's degree in chemical engineering, economics and management. Immediately after graduation he joined Sophos where he spent over nine years, the latter three of them as Threat Operations Manager of SophosLabs, UK. Since August 2010, as Senior Manager TCL, he has been running the Threat Control Lab at K7 Computing's head office in Chennai, India. Since 2010, Samir has actively contributed to the IEEE Taggant System project, and other industry initiatives such as AMTSO. He has co-authored and/or presented papers and participated in panel discussions at various security conferences including EICAR 2006, VB2010/VB2013 and AVAR 2010-12. Samir's personal interests include reading (philosophy, politics, history, literature, and economics), sport and classical music.
  • Gregory Panakkal - K7 Computing
    Gregory Panakkal Gregory R. Panakkal graduated from Model Engineering College (CUSAT), India in 2005 with a Bachelor's degree in computer science and technology. During his college days he worked part-time as a security consultant for Rediff.com, a leading online portal in India. Immediately after graduation he worked as a software engineer for Wipro Technologies, Bangalore. He joined K7 Computing in 2007 to pursue his passion for malware analysis and its detection technologies. He currently works on various anti-malware components that are part of K7's security suite. His other interests include reverse-engineering and vulnerability-research.

Links:

Similar Presentations: