ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Ransomware Analysis – Executions Flow and Kill Chain

Ransomware Analysis – Executions Flow and Kill Chain

Lavi Lazarovitz, Team Lead, CyberArk Labs
| Posted at 3:00 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (0)

Lavi LazarovitzRecent ransomware attacks, including WannaCry, Petya and NotPetya (which is considered to be a wiper as it irreversibly damages the disk), hit and partially paralyzed hospitals and large commercial organizations. Meanwhile, the security community and security vendors are working to adapt to this somewhat new and very different attack vector.

Many security vendors are focused on adapting current security technologies, such as signature-based file identification, artificial intelligence and application blacklisting, to build effective defensive lines. However, reality draws a less than satisfactory picture. 2016 saw between 20,000 to 50,000 ransomware infections per month, while criminals collected about US $209 million in the first quarter of the year. This year, infections per month are holding steady in that range, while Bitcoin payouts continue to climb.

Figure 1 - Ransomware reality statistics in 2016

Thousands of infected networks and countless headlines prove that the approach taken by traditional security controls and technologies is not efficient and does not bring the infection numbers down. The current approach taken by many security controls and organizations is that ransomware is a type of malware. This approach leads us to look for malware patterns in ransomware – a pattern that is not always there.

Ransomware does not need to manipulate operating systems nor modify sensitive configurations to encrypt files. Moreover, in some cases, legitimate services are harnessed to encrypt the system’s own files. For example, the CTB (Crypto-TOR-Bitcoin) ransomware family demonstrates how a supposedly legitimate service, svchost, can be used to encrypt the system files.

Figure 2 - The CTB ransomware execution flow

The ransomware injects itself to the svchost process, which then drops another payload that moves the files to a temp directory, encrypts them and moves them back to the original location.

Organizations protected by signature-based security controls will fail to identify this type of ransomware, as the signature of the dropper (the initial file infecting the endpoint) can be easily altered. Moreover, security controls based on behavioral analysis might also fail to identify and prevent such ransomware strains from running.

The ransomware attacks that recently infected and paralyzed a hospital and several large commercial organizations took legitimate disguises to the next level. Those ransomware strains, like NotPetya and WannaCry, took advantage of privileged accounts to take control of the endpoint, neutralize security controls, spread across the network and eventually encrypt the disk by modifying the MBR (Master Boot Record) and disk sectors. Privileged accounts allow this type of ransomware to disguise itself as a legitimate user, circumvent security controls and compromise the whole network. The recent NotPetya ransomware, which is considered a wiper as it damages the disk, demonstrates such execution flow.

Figure 3 - NotPetya privileged execution flow

As soon as an endpoint is infected, the variant checks its current privileges and security integrity level (which reflects the current level of privileges of the process security token). If the process identifies that it runs with high integrity privileges, it then modifies the MBR to run a slim boot sequence that does not load the installed operating system. This prevents any security controls from loading and interfering with the encryption process.

The variant then turns to schedule a restart in a randomized amount of time and uses this time to extract credentials from the current system and attempt to infect other systems across the network. The infection process of other systems either uses the extracted credentials, or an SMB vulnerability nicknamed EternalBlue – an NSA exploit of the SMB protocol leaked by the Shadow Brokers. The execution flow of NotPetya allowed it to bypass security and spread in fully patched environments by utilizing credentials.

To kill such execution flows used by recent ransomware and to contain the damage done to the whole network once an unprotected/unpatched/insecure endpoint is infected, ransomware should be treated as a program. More specifically, it should be viewed as a program that should run with limited privileges that are granted based on application graylisting. Application graylisting, which is different than simple whitelisting or blacklisting based on a list of approved applications, takes into account the circumstances: where the application came from (Internet, file share, locally created), the operation it intends to do, the sensitivity of the local machine, the associated files with the application, and more.

Based on those parameters, the application is granted specific privileges that allows it to communicate with the Internet, modify files or read content from memory. Application graylisting, together with credentials protection on the endpoint (protection of password in memory, registry, browsers and more), produces a strong second line of defense and a ransomware kill chain. The first line of defense, the anti-viruses and other traditional perimeter defenses, screen any opportunistic and known attack vectors. Any penetrating attack vectors and ransomware will then hit an environment with restricted privileges that limit resources to any untrusted application.

Figure 4 - Ransomware kill chain

Ransomware, like other attack vectors, is evolving continuously. New ways to penetrate organizations, encrypt files, proliferate and even pay for and receive decryption keys are integrated into new ransomware types. For example, the ransomware nicknamed Rensenware started as a joke, but it illustrates the creativity and ever-evolving methods of attackers. The ransomware demands that the victim play an anime game called Undefined Fantastic Object and hit the 0.2 billion points mark before allowing the victim access to the decryption key.

Figure 5- Undefined Fantastic Object anime game

This continuous innovation will make it extremely difficult for traditional security controls to identify and prevent ransomware infections of the local machine and the connected network. These new ransomware strains disguise themselves as legitimate programs to avoid anti-virus detection and to spread across secured and patched networks. So, regardless of whether you are an anime games fan, reinforcing the network with a second line of defense, based on application graylisting and credentials protection, could save you the anxiety of dealing with whatever new creatures and monsters stand in your way.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.