Ransomware Digital Extortion: A Rising New Age Threat

Download PDF
4 downloads 9871 Views 1MB Size Report
Comment
Imagine what would happen if you were stopped from accessing your own files or accessing your own computer system. ... The authors also designed and tested cloud based malware detection system, .... using IaaS to build virtualized.
Indian Journal of Science and Technology, Vol 9(14), DOI: 10.17485/ijst/2016/v9i14/82936, April 2016

ISSN (Print) : 0974-6846 ISSN (Online) : 0974-5645

Ransomware Digital Extortion: A Rising New Age Threat Akashdeep Bhardwaj1*, Vinay Avasthi1, Hanumat Sastry1 and G. V. B. Subrahmanyam2 UPES, Dehradun - 248007, Uttarakhand, India; [email protected] 2 Tech Mahindra, Hyderabad, Andhra Pradesh, India

1

Abstract Imagine what would happen if you were stopped from accessing your own files or accessing your own computer ­system. Now imagine further if to get back the access someone demanded ransom amount from you. Globally increasingly ­social interactions and financial transactions involve few critical aspects such as digital data, computing device and the ­internet. This is an area where Ransomware has spread and become a major concern against digital extortion in the form of a new age threat vector to corporates and end users alike. This paper presents the various ways and methods adopted by cyber criminals against Ransomware and present an anti-malware detection system. Background/Objectives: The impact of Ransomware has caused immense damage to end users and corporates alike. Access to authorized data ­being blocked and being released only after the ransom demand has been mate, is a new age digital extortion has which holds promise as a ­viable option against the cyber-attacks on user systems, mobiles and handhelds. Methods/Statistical Analysis: The ­authors reviewed existing Crypto and Locker ransomware, studying their propagation, attack techniques and new emerging threat vectors as file Encryption Ransomware, Screen Lock Ransomware, Windows & Browser Lock, Pop Advertisements and URL Redirection. The authors also designed and tested cloud based malware detection system, performing ­comparison evaluation with and without the proposed anti-malware solution in form of sandboxes, so even if the environment got compromised, it could be easily decommissioned and rebuilt from a fresh clean virtual snapshots. The system comprised of three virtual environments running services for Malware Behavioral Analysis, Malware Code Analysis and Malware Reporting. Open source and commercial tools were used in each of the three environments. Malware Behavioral environment for analyzing malware for before and after receiving malware payload files and logs from infected user devices. Malware Code Analysis gathered assembly code and memory dumps from memory and performed analysis on malware payload instructions. The Reporting environment analyzed Web URL proactively for malicious sites hosting malware code or payloads and also checked the user system and devices for before and after analysis logs. Findings: When comparing to the standard antivirus scanners that rely on signatures, the proposed malware detection and ­alerting process has better malware mitigation results and advantages. The Anti-Malware scanning security apart from being a cloud service with the secure scanners operating from cloud platforms display a high level of resilience. Being a Cloud application has the standard cloud feature advantages of being elastic, scalable, pay-as-you-use, user driven cloud model. This model can also help in saving costs by promoting the BYOD concept. Application/Improvements: The Anti-Malware cloud model can be modified to offer specific payload blocking for different customers even as other customers of that very application program are able to access them and even benefit from experience of the infected customers. This model can be scale up dynamically as required.

Keywords: Bitcoin, Crypto, Extortion, Locker, Malware, Ransomware

1.  Introduction

With the rise of internet and increasing use of personal computing devices and mobiles cyber- criminal activities *Author for correspondence

impacting end users for digital extortion on a scale never seen before has become a common sight. Ransomware is defined as digital extortion conducted by using a malware having malicious code that infects the system using

10. CISCO Ransomware on Steroids: Cryptowall 2.0, 2015. 11. Fergal M. An analysis of anonymity in the bitcoin system. In Security and Privacy in Social Networks. 2012. 12. Gazet A. Comparative analysis of various ransomware. Journal in Computer Virology. 2010. 13. KREBSON, Inside a Reveton Ransomware Operation. 2012. 14. Microsoft Tech Net Windows SysInternals Process Monitor 3.2

Ransomware Digital Extortion: A Rising New Age Threat 

different impact infection vectors ranging from browser exploits, freeware apps, email attachments, or advertisements offering cash and incentives to lure innocent victims. The process followed by cyber-criminals is have the user download the malware payload which injects a malicious code into the end user computer or mobile. It then gets installed in a randomly location as an executable application hidden from the device owner. This code when executed takes over the end user device preventing access in various forms like blocking, encrypting of the computer system and data which would have been available in a normal environment. The code is capable of stopping critical applications, disabling the physical input devices, hampering their working or simply encrypting data and files. Ransomware involves use of various scare tactics say getting the end user to either pay amount as ransom in form of Bitcoins or be forced to enter credentials in a surveys before having the end user system and data released. Recent ransomware malwares are known to have high capability inbuilt into them to be able to run on 64-bit code from a 32-bit dropper or be able to switch execution context of the computing processor from 64 to 32 bit and visa-versa on 64-bit Windows or Linux ­environment. There are two main variants of Ransomware malware with the most common being Crypto Ransomware which encrypts files and data and the other common version being Locker Ransomware which performs a lock down of end user systems, their applications or even the input devices, all with the aim of preventing the victim end user perform normal operations.

• Ransomware - Crypto: is a file and data locker1 ­malware which after being injected to end user systems, executes silently searching for user data and files. The infected systems however continue to work as usual since the critical operating system files and application related files are not targeted, so the end user system’s functionality is actually not impacted in any way that may raise a suspicion. The malware then encrypts the end user data and files making them unusable for the user owner and demand a ransom. This forces the end user to pay up to obtain the decryption key. Crypto ransomware or Data lockers are designed to search for end user files and data with extensions as FLV, PDF, RTF, MP3, MP4, PPT, CPP, ASM, CHM, TXT, DOC, XLS, JPG, CGI, KEY, MDB and PGP. 2

Vol 9 (14) | April 2016 | www.indjst.org

Figure 1. Crypto Ransomware.

 Figure 1.  Crypto Ransomware. 

• Ransomware - Locker: impacts the computing devices like end user computer systems or the mobile devices or the input interface devices like keyboard and mouse by locking them and deny access to the device owner. The malware flashes a page on the screen and allows limited functionality access to user functions like moving the mouse or keeping the numeric keyboard keys enabled for the victim to be able to input ransom amount then prompts the victim to pay a ransom amount before restoring the normal access,. This malware keeps the system and files untouched and can be removed to restore a system to its original state ­relatively easily as compared to the data locker malware.

2.  Ransomware Propagation Ransomware infection spreads across by methods 2 some of which are described as follows. • Traffic Redirection is performed by redirecting the user to the attacker’s server or by luring the end user with malicious advertisements offering free upgrades or downloadable games. These sites actually host malware and exploits in the applications that are unknowingly downloaded by the users with the malicious payload installing itself in the user’s systems and exploiting vulnerabilities in the user operating system and files. • Email attachment is another method employed to trap users into opening mail attachments or clicking on links to web portals with malware. The emails are designed to be from friends or legitimate authorities ranging from bills for electricity, insurance, tax, legal notifications to job offers. The malware first infect the user system, take control of the user’s Outlook address and phone book.

Indian Journal of Science and Technology

Co ref

Akashdeep Bhardwaj, Vinay Avasthi, Hanumat Sastry and G. V. B. Subrahmanyam

Figure 2. Locker Ransomware.

Figure 2.  Locker Ransomware.

Figure 3. Spam Email containing CHM file as a RAR Payload.

Figure 3.  Spam Email containing CHM file as a RAR Payload.

• Botnets and Social Engineering methods are employed by having first entering into user systems by way of free applications and as a second step downloading the malware payload. These free apps seem to come in forms as free software games or tools which if scanned do not have any malware but have the code inbuilt to download the malwares. • Ransomware as a Service is being offered by cyber criminals to perform malware attacks on payment for Figure Malwarethe Detection Environments. profits and 4. running ransomware attacks in form of a corporate mafia business from the cloud as a ­service.

3.  Related work 3.1  Malware Solutions Reviewed The authors reviewed existing solutions6 for online ­malware detection, blocking and removal. Some of the existing antimalware detection and blocking options being offered by antivirus and cloud security companies are as follows. • Dynamic Analysis – automated analysis of suspicious files which are scanned and analyzed for unique ­fingerprints and signatures or impact using

Vol 9 (14) | April 2016 | www.indjst.org

tools. Reports are produced at the end of analysis with information like registry keys used by malware, configuration changes done, device, file or network activity trend. However, an automated scan don’t not necessarily provide detailed insight. These are signature based scans comparing and matching against a database of known malware, • Static Analysis – manual analysis taking a deep dive look at the malicious file’s activities looking at file headers, embedded resources, payload, hashes, signature, meta data among host of other properties that are analyzed. Heuristic scans are done here that do not need a signature analysis. Rules algorithms, commands or which point to its malicious properties are evaluated to detect the malware. • Cloud Services – using IaaS to build virtualized ­environment, record and analyze behavior of malicious files and predict the next action or occurrence event. This is a real-time protection and system are updated several times a day to mitigate zero-day attack vectors. The system integrates with antivirus engines with a lightweight agent running on user devices (laptop, desktop, mobiles) to monitor any deviation or new files in the user devices.

3.2  Threat Vectors Identified For monitoring Ransomware, the below mentioned threat vector end points are selected as: • Host file: Any changes or modification to this file on the client handheld or user system • Auto-creation of any file or executables on user folders on system or network storage • Sending emails above threshold from a user outlook or email client in a short duration • Changes in registry keys of user system

4.  Malware Solution Proposed The authors setup the Malware Detection as a Service (MDaaS) system to provide malware detection, malware analysis and reporting services7. For detection, how the malware runs executing the payload making changes in user systems and files is taken into account. Hence the authors performed the tests on isolated system environments. In this solution, three environments are implemented having virtual machines with malware tools.

Indian Journal of Science and Technology

3

Ransomware Digital Extortion: A Rising New Age Threat Figure 3. Spam Email containing CHM file as a RAR Payload.

receiving malware payload files and logs from user devices that may have got infected. Infrastructure. Tools implemented:

Figure 4. Malware Detection Environments.

Figure 4.  Malware Detection Environments.

Malware Behavior Analysis Environment

Malware Code Analysis Environment

Malware URL Reporting Environment

Figure 5.  Figure Malware Detection Environments. 5. Malware Detection Environments.

User device snapshot is taken to determine any changes to OS, Registry, processes or files and lightweight agent installed that constantly pushes user system and device snapshot and status logs to the MDaaS Monitoring servers. This agent is capable of sending the malicious file from the user devices to the test bed environment for analysis, detection and blocking. The servers are commissioned and decommissioned each time a new malware analysis is completed. This is done to avoid any chance of the malware polymorphic features get into action and potentially Figurethe 6. Malware as aservers, Service - Before and After infecting analysis leaking dataResults. or payload to other systems, contacting the attacker for new action to perform or even upgrading themselves. The malware detection service environments are implemented using virtual machines running VMware Servers with Windows 2008 Server hosts in three lab environments.

4.1  Environment Setup 4.1.1  Malware Behavior Analysis Environment The first environment is configured for Malware Behavior Analysis, with server snapshots taken before and after 4

Vol 9 (14) | April 2016 | www.indjst.org

• Process Monitor with Proc DOT tool – to determine the manner in which the malware starts to infect and way in which the processes then interact with the ­system, infecting OS, Files and Registry. • Wireshark sniffer for Network Bandwidth Monitoring and observing the malware payload attempts to contact the attacker, DNS or other external sources (P2P servers) for engaging bot traffic and trying to ­download the payload binaries or java scripts. • Process Explorer and Process Hacker tools to observe malware behavior processes like opening of new ports, contacting attacker IP addresses. • Lightweight agent combined with Regshot tool to take user system and device snapshot for before and after state comparison.

4.1.2  Malware Code Analysis Environment The second environment is setup with Malware Code Analysis tools analyzing instructions in their assembly code and memory dumps from memory. Infrastructure and tools implemented: • IDA Pro tool used as disassembler to parse Windows OS executable files • Scyalla a Memory Dump tool used to obtain code from system memory. This is a novel way of code analysis since executable payload instructions are mostly encoded, getting extracted in RAM only ­during ­execution time.

4.1.3  Malware Reporting Environment This environment acts as the reporting system for Internet, analyzing Web URL proactively for sites hosting malware code or payloads. This also checked the user system and devices taking snapshots for before and after analysis. Infrastructure and tools implemented: • MalWr, Threat Expert tools used to perform ­automated behavior analysis of payload executables. • WebInspector MxToolKit for real time threat ­assessment and reputation of Web URL hosting ­suspected malware payloads and codes. • Process Monitor with ProcDOT – analyze processes read-write, update or delete registry entries. This

Indian Journal of Science and Technology

Akashdeep Bhardwaj, Vinay Avasthi, Hanumat Sastry and G. V. B. Subrahmanyam

helped the authors ascertain the manner in which malware attempts their actions and begins the attack. • File system and Registry analyzes, collecting the user data and checks for malware. Here dynamic analysis method preformed to observe the malicious code behavior.

5.  Results Obtained The before and after results of implementing the proposed Malware Detection as a Service (MDaaS) are depicted in the figure below. From the results we can clearly note that the after results prove to be much more effective in detecting malware attacks even as the MDaaS offers it own advantages over existing anti-virus and malware systems. The cloud based malware scanner system has ­advantages when comparing to standard signature based scanning system used by corporates and most home users. • Malware scanning is offered in form of a cloud service that has inherent advantage of using pay-as-youuse services running over virtual platforms over the internet with global reach anywhere remotely and not having to worry about any in house breach over the local network infecting users and IT servers alike • Cloud Infrastructure offers the advantage of not being limited by hardware or computing power, thus ensuring highly scalable setup. This type of infrastructure Malware Behavior Analysis Environment related setup helps provide antimalware services when required over periods of time, indexing ad analyzing huge Malware database Code and malware logs. Analysis Environment • The service can be further made customizable for the end users by providing them the ability to upload andMalware update logs/executables or even grab image of URL Reporting Environment the infected systems. The geek users can be offered a ­virtual test bed to perform their own lab analysis. Figure 5. Malware Detection Environments.

Figure 6. Malware as a Service - Before and After Results.

Figure 6.  Malware as a Service - Before and After Results.

Vol 9 (14) | April 2016 | www.indjst.org

• Another advantage with this system is the ability to inform each user as soon as a new malicious payload is detected, this benefits from the experience of others.

6.  Conclusion Malware impact globally has shown a serious threat to user systems in terms of pilfering personal and private information, locking and disabling user systems. In this paper, the authors investigated if malware can be detected using a cloud based setup against Ransomware and if it can be better than the existing signature based anti-virus and scanners. The results indicate the proposed system work well. Malware detection over cloud is a good area for future research work which can take the concept of malware detection as a service and build malware detectors that are invisible to the operating system, inform of bare metal between the hardware and OS. They way any new malware can be easily detected and mitigated. However with the current state of affairs, Ransomware has been stealing a march over the detection systems and innocent victims continue to be impacted by ransomware digital extortion.

7.  References   1. Repository of Malware Samples, 2015   2. VX Valut online repository of malware attack samples, 2015   3. Malware Tips Your Security Advisor Forums, 2015.   4. Malware Black List - Online Repository of Malicious URLs, 2015.   5. Police ransomware threat assessment, Public Information, 2015.   6. Jain A. Ransomware: Next-Generation Fake Antivirus Sophos Technical papers, 2015.   7. Bayer U, Kruegel C, Kirda E. A Tool for Analyzing Malware European Institute for Computer Antivirus Research Annual Conference, 2006.   8. BLOCKCHAIN.INFO Bitcoin Block Explorer, 2015.   9. Hershkop B, Keromytis S. Baiting inside attackers using decoy documents Springer, 2009. 10. CISCO Ransomware on Steroids: Cryptowall 2.0, 2015. 11. Fergal M. An analysis of anonymity in the bitcoin system. In Security and Privacy in Social Networks. 2012. 12. Gazet A. Comparative analysis of various ransomware. Journal in Computer Virology. 2010. 13. KREBSON, Inside a Reveton Ransomware Operation. 2012. 14. Microsoft Tech Net Windows SysInternals Process Monitor 3.2

Indian Journal of Science and Technology

5