The evolution of ransomware code and behavior since the emergence of these hoaxes up till the present day is what Engin Kirda covers in this part of his talk.So how has ransomware evolved over the years? Well, the ransomware concept actually dates back to the end of the 80s – the beginning of the 90s, right? People came up with this idea. It has been around for a long time, but it has been rediscovered. Clearly, ransomware attacks have actually increased in numbers over the last five years. We’ve been seeing more and more of ransomware. Some of them are more sophisticated than easier variants. Damages are being reported. And it’s interesting, people like this idea of encryption, deletion, especially encryption – it’s magical. That’s why there are many reports, and a typical end user thinks that ransomware is a very-very complicated thing.
Also, this is fueled by many security reports that talk about the sophistication and the complexity of individual attacks. Some reports might say “We just saw this example, this sample does encryption in a very-very good way, and we cannot recover the data because the encryption is sound.” Reports like that create the general impression in the public that we are faced with a new threat that is very difficult or that’s impossible to prevent. Because if the information has been encrypted in a very-very good way, then we cannot decrypt it if we don’t have the key.There is truth in that. Some attacks are effective, even simple ones are effective. Here is an announcement from the FBI (see right-hand image) that actually reports that many people were victims of Cryptowall, many people ended up actually paying money to Cryptowall, and $18 million were lost (see left-hand image). So there is damage, right? But the question then is, if you look at the code, if you analyze the attack, how much sophistication are we actually seeing there? Is this another type of Stuxnet, or are we dealing with common behaviors that you also see in other malware? Is ransomware a lot different than other types of malware that we see out there? Not only end users, of course, are victims of such attacks. Organizations generally are well protected, so a typical company is not going to be scared of ransomware, because they are going to have good backup policies hopefully, or they are going to have systems that are more effective against malware. But there are smaller organizations. This (see right-hand image) is an example from a small town in Massachusetts, where the police ended up paying the ransom because their machines were attacked and they could not recover the data. But why is that happening? Is it happening because the ransomware is very complicated? Or is it happening because the organization was ill-prepared and didn’t have the right defenses or the right security policies? So in this case, yes, ransomware attacked them, but any other type of malware could have also attacked them.
Evasion, of course, is not something that you only see in ransomware. You also see it in other types of malware, so it’s actually common behavior, right? It’s not unique to ransomware. So we look at things like stalling against the analysis environment or self-modifying code that adapts itself. In this work we are actually looking at the sophistication of the attack after compromise. So we are going to look at what ransomware actually does, if we look at the big picture. Of course there are samples that do more nasty things than others, but how complicated are they and how complex are these attacks? And then you can make up your mind about it.To be able to do this, we collected some samples, we took a historical look at ransomware (see right-hand image). We looked at samples from 2006 to 2014. We looked at more than 1300 samples from 15 families, including modern families like Cryptolocker and Cryptowall. We did this by crawling the web, looking at public repositories, getting some data from Lastline as well. And we analyzed these files and tried to gain some insight into what we saw in the past and what we are actually seeing today. We did automated dynamic analysis for all the samples (see left-hand image). In some cases, after running a sample and if there were issues, if we thought it was necessary we did manual analysis too. So one challenge here is, if you are looking at any malware sample, how do you actually know that it belongs to that family? How do you know it’s Cryptolocker or Cryptowall, etc.? So our methodology was that we cross-checked with VirusTotal, and if three or more scanners actually agreed on the sample and gave it the same name, we said, okay, this looks like a sample from Cryptolocker, Cryptowall, etc. So we created a labeled data set. And all the samples we actually looked at showed some ransomware behavior.
Read previous: Most ransomware isn’t as complex as you might think