Organizations face a wide variety of different cyber threats. However, few, if any, have achieved the same level of visibility as ransomware. Attacks like WannaCry and more recent attacks against cities, hospitals and other entities have captured the public interest. Ransomware can be sophisticated and may be explicitly designed to avoid detection based upon the signatures used by traditional antivirus. However, many ransomware variants behave similarly, which can be taken advantage of to detect them.
Common Behavior Across Ransomware Attacks
While ransomware comes from a variety of different authors, some commonalities exist across ransomware families. A recent report pointed out some of the common threads across ransomware infections that can be used to detect and respond to a ransomware attack.
Bulk Document Encryption
Different ransomware variants accomplish their goals in different ways. However, a common goal across ransomware variants is to deny the victim access to their computer through the use of encryption. By replacing valuable files with encrypted versions, a ransomware attacker forces their target to make the difficult choice between writing off their files and paying the ransom to get the encryption key needed to restore them.
This very action of encrypting massive amounts of files on a computer is a clear warning sign of a ransomware infection. Most programs on a computer have no reason to open, modify, and delete many different files in parallel or quick succession. Looking for this anomalous behaviour is one of the most reliable ways to detect and block a ransomware infection. Additionally, since this is a core part of ransomwares’ functionality, it isn’t something that can be easily removed or masked in the malware.
Ransomware authors are paranoid about antivirus and anti-ransomware solutions. While the degree of this paranoia can vary, many ransomware variants spend an inordinate amount of time and energy trying to ensure that no programs are running on the infected machine that is capable of detecting and removing them. This allows the ransomware to both ensure that it can accomplish its mission successfully and lays the groundwork for second-stage malware to execute on the machine.
Ransomware anti-detection logic represents a cat-and-mouse game where both parties are attempting to find and terminate the other. Many ransomware variants accomplish anti-detection functionality by scanning for a list of common process names and terminating them if discovered. This behaviour can make this malware easier to detect. A list of antivirus process names contained within a file is a dead giveaway that the file contains malicious code. Additionally, the scan for process names and terminating select processes can raise flags that can be used to pinpoint the malicious process on the machine. While anti-detection functionality is not vital to ransomware’s end goals, it is often necessary to ensure that the ransomware attack can complete without interruption.
Signing Code with Stolen/Purchased Certificates
Most operating systems have some sort of restrictions on code execution based upon code signing. By default, Windows won’t allow code to execute that doesn’t originate from the Microsoft Store, and Apple has locked down its operating systems to only allow code that is signed by a certificate provided by Apple.
Code signing is designed to ensure that code originates from the supposed author and has not been modified since publication. Some ransomware variants are using stolen or purchased encryption keys to sign code as a trusted party. This makes the ransomware look more legitimate but can also make it easier to detect. Code signing locks down the supposed author of a program, making it easier to check if a suspicious program actually matches a legitimate software release from that vendor.
All operating systems have the concept of privileges, where a user’s or program’s level of access is limited to the permissions that they have. Only administrator-level accounts on a system can read and access all files on the system.
Ransomware, by design, wants to have access to as many files on the system as possible. Compromising and encrypting a low-level account may not cause enough damage to convince a victim to pay a ransom. As a result, ransomware commonly performs privilege escalation, which leverages access to a low-level account and a vulnerability on the system to gain administrator-level access.
Privilege escalation attacks are often successful since the associated vulnerabilities are not always marked as critical and thus ignored in patching cycles. The use of privilege escalation can be detected by monitoring for the exploit itself or anomalous use of accounts with elevated privileges. Identifying account misuse can help to identify a ransomware infection.
After ransomware has infected a system, it is a race to complete its mission before being detected. While some ransomware variants may “lie low” for a while to decrease the probability of detection, eventually they need to start encrypting files. Once this occurs, file encryption needs to be completed as swiftly as possible to minimize the probability that the ransomware will be interrupted.
In order to speed up encryption, some ransomware variants are optimized to perform encryption of many files in parallel by taking advantage of multi-core processors. While multithreading is certainly not an automatic indication of malicious functionality, monitoring for it may help with the detection of these ransomware outbreaks.
Fighting the Ransomware Menace
Ransomware has become one of the most famous and expensive malware threats facing organizations; however, these attacks can be detected and prevented. Moving beyond signature-based detection to behavioural monitoring can help to identify ransomware in a sustainable and scalable way.