Introduction
On average, about .08% of malware attacks remain undetected every day. Such a small percentage is extremely misleading when large companies like Cisco receive more than 1.1 million unique threats a day: that means 88,000 pieces of malware fly under the radar of industry standard antivirus and intrusion detection softwares. “How should we combat such a massive threat that has the ability to take down vast computer systems?”, asks Jessica Bair, Senior Manager of Advanced Threat Solutions at Cisco Security in her Enfuse presentation “Tracking Ransomware: Using Behavior to Identify New Threats.”
What is Ransomware?
Bair began her lecture by covering what ransomware is and how it has changed over its history. Ransomware is defined in her presentation as “a type of malicious software designed to block access to a computer system until a sum of money is paid”. Such attacks are carried out by encrypting the files and contents of a machine with asymmetric encryption, where a victim would need their attacker’s private security key to be able to decrypt their files and regain control of their device. To get the private key, the victim would need to pay a ransom – dependent on the number of encrypted devices and how much data they contained – which can range from 1 or 2 bitcoin to 23 bitcoin. Currently the exchange rate is $4,589 USD per bitcoin, making these demands just as crippling to a victim’s finances as they are to their frozen data.
History of Ransomware
Initial ransomware attacks were where near as advanced as the ones we see today. Early variants started appearing in 1989 with the PC Cyborg strand. This strand counted the number of times the computer booted and on the 90th time it would encrypt a disk and demand around $100 in ransom. The encryption method for PC Cyborg was symmetric encryption, meaning the key that is used to decrypt the data was the same one used to encrypt it. If the victim was able to crack the key, they would be able to get their files back without paying the ransom. A symmetric key also means that a key can be shared among infected users.
A more recent variant of ransomware is called a locker, composing of several strands like WinLock and Reveton. Originating sometime around 2012, these ransomware attacks are programmed to lock up a user’s desktop, making the entire computer inaccessible until the ransom is paid.
Modern Ransomware
Modern day ransomware has stepped up their sophistication and now use RSA-2048 and AES-256 algorithms to encrypt files. This encryption is virtually impossible to crack without obtaining the private key. This type of ransomware will either change your desktop background (Figure 1) to its ransom note or leave a text file with instructions in every folder that contains encrypted files. This type of ransomware tends to spread in phishing pdf email attachments and fake Google Docs. Clicking and downloading a suspicious attachment could cost hundred of dollars. Some .pdf, .docx, and .xlsx documents might require an extra step that has the user open the file and enable macros. A macro is a saved sequence of commands or keyboard strokes that can be stored and then recalled with a single command or keyboard stroke.
Figure 1: example of Locky ransom note
Identifying Ransomware with Threat Grid
After a brief overview of ransomware and its different variations, Bair introduced an online malware analysis sandbox called Threat Grid. A sandbox is a virtual environment that allows a user to deploy all types of malware and see its behavior without putting their workstations at risk. Threat Grid allows a user to upload a malware sample to the sandbox to observe its behavior (Figure 2) and record a list of identifiers (Figure 3). Bair’s presentation included a lab in which attendees used a demo version of Threat Grid to look at several pieces of ransomware. The lab was a great opportunity to analyze modern day ransomware like WannaCry and Locky.
Overall, Bair’s sessions was a great hands-on experience filled with very detailed and relevant information. It proved to be a great introduction to dynamic malware analysis using sandboxes. Bair demonstrated a great passion for teaching others and sharing her knowledge about this tool.
Figure 2: A screenshot from a video of malware deploying on the sandbox
Figure 3: An example of behavioral indicators
Want to know more about our trip to Enfuse 2016? Head to the LCDI blog! We also constantly communicate updates through our Twitter and Facebook, so be sure to Follow and give us a LIKE!