Anatomy of a Ransomware Attack - Parts 4-5

4. ANTIVIRUS FAILS TO STOP RANSOM4.1 Destroying your hard driveAfter completing this process and before begins spying on users, Rombertik runs a final check to make sure it is not being analyzed in memory. In case it finds any indication of being analyzed, the spyware attempts to destroy the master boot record (MBR) of the vulnerable computer. Rombertik then restarts the machine, and because now the MBR is missing from the hard drive, the victim’s computer will go into an endless restart loop.MBR is the first sector of a computer’s hard drive that the system looks for before loading the operating system. However, deleting or destroying MBR involves re-installing of operating system, which means valuable data is lost.In cases where the malware is under the microscope of security experts or any rival malware author, Rombertik will self-destruct itself, taking the contents of a victim’s hard drive along with it. [6]4.2 Keeping it-self from being SandboxedWhen traditional antivirus programs spot a potentially harmful file on your PC, they will immediately sandbox it. This method allows the AV product to execute the untrusted code or program that comes from unverified third parties, unknown suppliers, untrusted users and potentially harmful websites in a restricted environment, in order not to allow the code or program to infect the PC.What malware creators do is to find ways to avoid this, for example by blending the malware with millions of sample files to confuse the AV’s methodology. This way, the malware infection will deflect the antivirus’s attempt to spot, block or remove it.There is also another set of tactics that malware creators use to avoid AV detection. Since the sandbox is a virtual environment, cyber criminals equip malware strains with the ability to detect sandboxing mechanisms by checking registry entries, the PC’s video or mouse capabilities, certain ports or processes and more.When malware detects that it’s running in a virtual environment (sandbox) it will stop its activity, so antivirus products may conclude that it’s a safe file and just let it pass. It may sound complicated, but this happens all the time.4.3 Domain shadowingExploit kit authors compromise a domain name registrant’s account, and then register a subdomain under the legitimate domain of the compromised user. Unless users review their account information, they will not know these subdomains exist. The subdomains point at malicious servers. They are very high volume, short-lived, and random, so they’re difficult to block. [6]4.5 The Fast Flux techniqueIn order to make detection more difficult, malware creators will often use more than one evasion technique. Fast Flux is a commonly used method by which cyber criminals use a huge amount of IP addresses that are associated with a single, fully qualified domain name. They then swap the IP addresses constantly and with high frequency by changing DNS records, so that automated analysis mechanisms cannot detect the real source of the infection. Fast Flux is usually used by botnets (networks of Internet-connected PCs that have been compromised to deliver attacks to other computers, without their owners knowing it) to hide phishing campaigns, malware-loaded websites and other infection sources targeting a large group of users. [6]While this method is not new either, it still persists among the tools of choice for malicious actors worldwide.4.6 Using Encrypted PayloadsEncryption is a great safeguard for data privacy and even data security, but it can cause serious headaches when used by cyber criminals. For example, when a malware creator decides to encrypt the payload used to infect victims’ PCs, this will delay detection by antivirus products and buy more time to deploy the malware, which can range from data harvesting to ransomware.Encrypted payloads are usually identified retrospectively, which makes it easy for malware to take over the victim’s system until reactive protection mechanisms kick in.4.7 Polymorphic BehaviorEncryption is not the only deceiving technique that makes malware difficult to spot. Cyber criminals rely on their ability to move faster than security vendors, so they rely on other tactics, such as changing file names and file compression.These changes will not affect the function of the malware, but it will increase its covertness. [6]4.8 Using literature to hide exploit kitsSome exploit kit authors are looking to early 19th-century literature to help conceal their 21stcentury threats. Specifically, some adversaries are incorporating text from Jane Austen’s Sense and Sensibility into web landing pages that host their exploit kits.Adding passages of classic text to an exploit kit landing page is a more effective obfuscation technique than the traditional approach of using random text. The use of text from more contemporary works such as magazines and blogs is another effective strategy. Antivirus and other security solutions are more likely to categorize the webpage as legitimate after “reading” such text. For users, encountering unexpected references to beloved Austen characters such as Elinor Dashwood and Mrs. Jennings on a webpage may be perplexing but not a cause for immediate concern. But their lack of unease gives adversaries more opportunity to launch their exploits. The use of known works instead of random text is just one example of how threat actors are evolving their schemes to avoid detection.4.9 Using Tor and the Invisible Internet Project (I2P) Tor is well known for its use by Internet users who want to hide their traffic for various reasons, both good (cyber security research) and bad (cyber-crime). So it’s no wonder that malware creators employ this anonymity network to conceal their communication, for example the information exchange between a payload and a malicious server.4.10 Using Microsoft Macros Microsoft macros is a notorious infection vector that cyber criminals have been using for years and years, but it’s still not out of fashion. Microsoft may have blocked macros from running automatically, but it can’t protect users from social engineering.Persuading users to run macros themselves required skill and more time than automated attacks, but it can bring in more effective results and worse consequences for the victim. In order to make sure that they stay below the radar, malicious actors will change the threats very fast and very often, forcing detection mechanisms to start over and over again.4.11 Remaining dormantThis type of evasion is timing-based, meaning that the malware strain will only run or monitor the user’s actions when the system if most vulnerable. This can happen, for example, during the boot process. In the rest of the time, the malware can remain dormant, thus going undetected by traditional security solutions.4.12 UNBREAKABLE ENCRYPTION Heimdal Security warns that not only is the ransomware more powerful than ever, it has also been patched with a number of 'bug fixes'. This means that it is now better equipped to deal with very large files, while the use of RSA 4096 means that recovery of data is completely impossible. Specialists at Heimdal Security say that the previously-reliable Decoder tool is now worthless.5. How anonymous is Bitcoin?Bitcoin could be interpreted as a 'pseudo-anonymous' network. It is anonymous in the sense that you can hold a Bitcoin address without revealing anything about your identity in that address. One person could hold multiple addresses, and in theory, there would be nothing to link those addresses together, or to indicate that the person owned them.So far so good, but there is another side to Bitcoin. Everything that happens in the Bitcoin world is traceable. Thanks to the way that the algorithm is structured, every Bitcoin-based transaction is logged in the block chain.This leads to a level of transparency that may surprise some Bitcoin users. "If you publish your Bitcoin address on your website, then everyone in the world will be able to know what your Bitcoin balance is," points out Sergio Lerner, CEO of Argentinian company Certimix. [6]Certimix develops products for protecting online card games sites and their players, using mathematically proven algorithms. Lerner has a strong cryptography background, and has discovered several vulnerabilities in the Satoshi algorithm.“Privacy is not enforced by the Bitcoin protocol design,” he says. “If you re-use the same address over and over to receive money from other users, then every one of them will detect that the others have sent you money.”

---

References:[1]     B. Fraga. Swansea police pay $750 “ransom” after        computer virus strikes. The Herald News, 2013.[2]     G. O’Gorman and G. McDonald. Ransomware: A growing   menace. Technical report, Symantec Corporation, 2012.[3]     Anatomy of a Crypto Ransomware Attack   https://blogs.sophos.com/2015/03/03/anatomy-of-a-ransomware- attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/[4]     E. Arnold. Tennessee sheriff pays ransom to cybercriminals ,in bitcoin. https://www.bizjournals.com/memphis/blog/2014/11/tennessee-sheriff-pays-ransom-to-cybercriminals-in.html, 2014.[5]     Common type of Ransomware http://securityjar.com/types-of-ransomware-attacks/[6]     N. Andronio, S. Zanero, and F. Maggi. HelDroid: Dissecting and detecting mobile ransomware. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2015.[7]     A. Viswanathan, K. Tan, and C. Neuman. Deconstructing the assessment of anomaly-based intrusion detectors. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2013.[8]     R. Perdisci, A. Lanzi, and W. Lee. Classification of packed executables for accurate computer virus detection. Pattern recognition letters, 29(14), 2008.[9]     V. Roussev. Data fingerprinting with similarity digests. In Advances in Digital Forensics VI, IFIP Advances in Information and Communication Technology.Springer Berlin Heidelberg, 2010.[10]  N. Scaife, H. Carter, and P. Traynor. OnionDNS: A seizure-resistant top-level domain. In In IEEE Conference on Communications and Network Security (CNS), 2015.

1. Tang, S. Sethumadhavan, and S. Stolfo. Unsupervised Anomaly-based Malware Detection using Hardware Features. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID)