Engin Kirda, the co-founder of Lastline Labs, took the floor at Black Hat USA to give a retrospective view of ransomware and analyze its present-day flaws.Hi! Good afternoon everyone. Thanks for showing up. I have the pleasure of having the last session. Hopefully it’s not the curse of having the last session. So, briefly about my background. I’m a computer science professor at Northeastern University in Boston. I’ve been doing malware research for the last 10 years or so, and I have built some popular malware analysis systems like Anubis, EXPOSURE and Wepawet that some of you have maybe used in the past. And I’m also one of the co-founders of Lastline that does zero-day threat protection, so we work on malware. And Lastline Labs is actually our research arm. This work is partially based on a study that my Ph.D. student Amin Kharraz actually worked on and I published, with some co-authors, at a conference called DIMVA 2015 (see right-hand image). There’s a scientific paper that goes with this presentation. If you google for “Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks”, Google is going to spit out the PDF, and if you are interested in the technical details I would refer you to that paper. There’s definitely more information there. I have a short session, that’s why it’s going to be a short talk.
So some key takeaways from this presentation. The majority of ransomware actually launches relatively straightforward attack payloads. When I say that most ransomware isn’t complex, some people are going to find that provocative. They are going to say “No, but ransomware is malware, you know, they do all these things, they are actually complex.” So we are going to look at some examples, we are going to look at the big picture, and my aim is to set the problem in perspective to show you that not all of them actually are as complex.In many cases, we are actually seeing relatively straightforward attacks (see right-hand image), and I think there is hope. We should be able to do things to actually detect some of these attacks more efficiently. These are things like using bad cryptography, or the use of standard cryptography libraries, which is something that we might actually use to detect ransomware. Or sometimes files are deleted but they are not wiped off disk, right? So you might actually have the chance to recover the data. Not all ransomware is actually equal.
Compared to other types of malware, ransomware actually has very distinct, predictable behavior. We are going to go through some examples. Ransomware is a specific type of malware, but it does things that are quite unique to ransomware. These are things like ransom notes with background activity, background noise; changes in the entropy of files – when things are being encrypted the entropy of files changes; iteration over large numbers of files. So these are typically things you might not see in other malware or in benign software. Hopefully we should be able to use these things to detect ransomware more effectively.So what are we going to discuss? Well, the significance of the ransomware threat (see right-hand image). Definitely, it is a threat. I’m not saying that it’s not a threat. But not all threats are very complicated, although they might be successful. We are going to look at the complexity and sophistication of attacks. So what do you mean by complexity? And why do most people, when they hear of ransomware, think it’s actually very complex. What are the attack mechanisms we actually see out there if you look at ransomware at a large scale?
And what are the main ransomware weaknesses? They do certain things, but can we actually use these weaknesses to be able to detect ransomware more effectively? Can we develop technologies that actually use these weaknesses to detect ransomware? And also I’ll be talking about better mitigation, so my aim is to hopefully close Black Hat with a positive message. Not all is lost, and we should be able to do a better job of at least detecting things like ransomware.Just to recap so that everybody knows ransomware (see right-hand image). What are the typical behaviors that we see in a typical ransomware attack? Well, of course, the victim machine would be compromised, then the ransomware would be installed. Once the attack payload is executed – if there is an attack payload – the ransomware would inform the victim of the attack. Compared to other types of malware, this is actually quite distinct behavior? Something bad happens to you, you get infected, and the ransomware actually tells you that you have been infected, right? You don’t always have this luxury in other types of malware. Ransomware actually tells you that you’ve been infected.
The victim would need to pay up, of course, otherwise the data would be kept hostage or it would be destroyed. Any malware that actually fits this category today we actually say is ransomware. And you’ve been reading a lot in media about this, because we’ve been seeing ransomware and people are being attacked.Classic ransom notes would be something like that (see right-hand image). It is social engineering, of course. It looks like it’s coming from the NSA, FBI and all these organizations. At the same time, it’s also the PRISM system, right? And the attackers are social engineering the victim into believing that the victim has been caught hosting illegal content. And they say if you don’t pay up you are going to be arrested, the government is going to come after you. And many people, especially end users, are technically not sophisticated and they fall for these scams.
One interesting signal is that there have been cases where the bad guys, who are actually hosting illegal content, fell for these social engineering scams and they gave themselves up, they went to the police. Maybe that’s one good thing that ransomware has done once in a million years.Here’s another example (see right-hand image). Again, these all look quite similar: “Your computer has been locked!” It’s supposedly from the FBI. You have to pay up in three days otherwise you are going to be arrested. And many people actually fall for these things, and that’s why ransomware is effective. But it’s not too different from other types of malware that you see, for example fake AV, where you think that you’re buying an AV product but it’s actually a fake AV product.