Ransomware is a regular nuisance. A ransomware infection takes your computer hostage, and demands payment for release. In some cases, a payment doesn’t secure your files. Personal photos, music, films, work, and more are destroyed. The ransomware infection rate continues to rise — unfortunately, we still haven’t reached the peak — and its complexity is increasing.
There have been notable exceptions to this rule. In some cases, security researchers have cracked the ransomware encryption, allowing them to create a coveted decryption tool. These events are rare, usually arriving when a malicious botnet is taken down. However, not all ransomware is as complex as we think.
The Anatomy of an Attack
Unlike some common malware variants, ransomware attempts to remain hidden for as long as possible. This is to allow time to encrypt your personal files. Ransomware is designed to keep the maximum amount of system resources available to the user, as not to raise the alarm. Consequently, for many users, the first indication of a ransomware infection is a post-encryption message explaining what has happened.
Compared to other malware, ransomware’s infection process is quite predictable. The user will download an infected file: this contains the ransomware payload. When the infected file is executed, nothing will appear to happen immediately (depending on the type of infection). The user remains unaware that ransomware begins to encrypt their personal files.
As well as this, a ransomware attack has several other distinct behavioral patterns:
- Distinct ransomware note.
- Background data transmission between host and control servers.
- The entropy of files changes.
File entropy can be used to identify files encrypted with ransomware. Writing for the Internet Storm Centre, Rob VandenBrink briefly outlines file entropy and ransomware:
In the IT industry, a file’s entropy refers to a specific measure of randomness called “Shannon Entropy,” named for Claude Shannon. This value is essentially a measure of the predictability of any specific character in the file, based on preceding characters (full details and math here). In other words, it’s a measure of the “randomness” of the data in a file — measured in a scale of 1 to 8, where typical text files will have a low value, and encrypted or compressed files will have a high measure.
I would suggest reading the original article as it is very interesting.
You can't solve ransomware with a fancy entropy algorithm found in Google ;-) The problem is a bit more complex than that.
— The mach monster (@osxreverser) April 20, 2016
Is It Different From “Ordinary” Malware?
Ransomware and malware share a common goal: remaining obscured. The user maintains a chance of fighting the infection if it is spotted before long. The magic word is “encryption.” Ransomware takes its place in infamy for its use of encryption, whereas encryption has been used in malware for a very long time.
Encryption helps malware pass under the radar of antivirus programs by confusing the signature detection. Instead of seeing a recognizable string of characters that would alert a defense barrier, the infection slips by, unnoticed. Although antivirus suites are becoming more adept at noticing these strings — commonly known as hashes — it is trivial for many malware developers to work around.
Common Obfuscation Methods
Here are a few more common methods of obfuscation:
- Detection — Many malware variants can detect whether they are being used in a virtualized environment. This allows the malware to evade the attention of security researchers by simply refusing to execute or unpack. In turn, this stops the creation of an up-to-date security signature.
- Timing — The best antivirus suites are constantly alert, checking for a new threat. Unfortunately, general antivirus programs cannot protect every aspect of your system at all times. For instance, some malware will only deploy following a system restart, escaping (and likely disabling in the process) antivirus operations.
- Communication — Malware will phone home to its command and control (C&C) server for instructions. This isn’t true of all malware. However, when they do, an antivirus program can spot specific IP addresses known to host C&C servers, and attempt to prevent communication. In this case, malware developers simply rotate the C&C server address, evading detection.
- False Operation — A cleverly crafted fake program is perhaps one of the most common notifications of a malware infection. Unwitting users assume this is a regular part of their operating system (usually Windows) and blithely follow the on-screen instructions. These are particularly hazardous for unskilled PC users and, while acting as a friendly front-end, can allow a host of malicious entities access to a system.
This list isn’t exhaustive. However, it does cover some of the most common methods malware uses to remain obscured on your PC.
Is Ransomware Simple?
Simple is perhaps the wrong word. Ransomware is different. A ransomware variant uses encryption more extensively that its counterparts, as well as in a different manner. The actions of a ransomware infection are what make it notable, as well as creating an aura: ransomware is something to fear.
— Maxime Kozminski (@MaxKozminski) February 20, 2017
Ransomware uses somewhat novel features, such as:
- Encrypting large amounts of files.
- Deleting shadow copies that would ordinarily allow users to restore from backup.
- Creating and storing encryption keys on remote C&C servers.
- Demanding a ransom, usually in untraceable Bitcoin.
Whereas the traditional malware “merely” steals your user credentials and passwords, ransomware directly affects you, disturbing your immediate computing surroundings. Also, its aftermath is very visual.
Ransomware Tactics: Master File Table
Ransomware’s “Wow!” factor certainly comes from its use of encryption. But is the sophistication all it seems? Engin Kirda, Co-Founder and Chief Architect at Lastline Labs, thinks not. He and his team (using research undertaken by Amin Kharraz, one of Kirda’s PhD students) completed an enormous ransomware study, analyzing 1359 samples from 15 ransomware families. Their analysis explored deletion mechanisms, and found some interesting results.
What are the deletion mechanisms? About 36 percent of the five most common ransomware families in the data set were deleting files. If you didn’t pay up, the files were actually being deleted. Most of the deletion, in fact, was quite straightforward.
How would a professional person do this? They would actually aim to wipe the disk so that it’s difficult to recover the data. You would write over the disk, you would wipe that file off the disk. But most of them were, of course, lazy, and they were directly working on the Master File Table entries and marking things as deleted, but the data was still remaining on disk.
Subsequently, that deleted data could be retrieved, and in many cases, fully recovered.
Ransomware Tactics: Desktop Environment
Another classic ransomware behavior is locking the desktop. This type of attack is present in more basic variants. Instead of actually getting on with the encrypting and deleting files, the ransomware locks the desktop, forcing the user from the machine. The majority of users take this as meaning their files are gone (either encrypted or completely deleted) and simply cannot be recovered.
Ransomware Tactics: Forced Messages
Ransomware infections notoriously display their ransom note. It usually demands payment from the user for the safe return of their files. In addition to this, ransomware developers send users to specific web pages while disabling certain system features — so they cannot get rid of the page/image. This is similar to a locked desktop environment. It doesn’t automatically mean that the user’s files have been encrypted or deleted.
Think Before Paying
A ransomware infection can be devastating. This is undoubted. However, being hit with ransomware doesn’t automatically mean your data is gone forever. Ransomware developers aren’t all amazing programmers. If there is an easy route to immediate financial gain, it will be taken. This, in the safe knowledge that some users will pay up because of the immediate and direct threat. It is completely understandable.
The best ransomware mitigation methods remain: backup your files regularly to a non-networked drive, keep your antivirus suite and internet browsers updated, watch out for phishing emails, and be sensible about downloading files from the internet.
Image Credit: andras_csontos via Shutterstock.com