1 / 35

Rick Stroud CSCE 813 26 August 2016

CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data by Scaife , Carter, Traynor , & Butler. Rick Stroud CSCE 813 26 August 2016. Agenda. Introduction & Format Context – Historical & Present Proposed Contributions of CryptoDrop Methodology Results Conclusion.

prestono
Download Presentation

Rick Stroud CSCE 813 26 August 2016

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CryptoLock (and Drop It):Stopping Ransomware Attacks on User Databy Scaife, Carter, Traynor, & Butler Rick Stroud CSCE 813 26 August 2016

  2. Agenda Introduction & Format Context – Historical & Present Proposed Contributions of CryptoDrop Methodology Results Conclusion

  3. Introduction & Format • Rick Stroud • Apogee Student in the Cyber Certificate Program • I work for National Cash Register (NCR), maker of ATMs • I will have some questions for you during the presentation

  4. Q) What do these all have in common? King Richard the Lionhearted

  5. Q) What do these all have in common? King Richard the Lionhearted The Lindbergh Baby

  6. Q) What do these all have in common? King Richard the Lionhearted The Lindbergh Baby The painting “The Scream”

  7. Q) What do these all have in common? King Richard the Lionhearted The Lindbergh Baby The Painting “The Scream” Charlie Chaplin’s Corpse

  8. A) All Were Held for Ransom • In 1193, while returning from the Crusades, King Richard held captive1 • Released when 100,000 pounds of silver was paid, 3x the income of all England • In 1932, the child of aviator Charles Lindbergh was kidnapped2 • Ransom was paid but the body of the child was found dead • In 1994, the painting by Edvard Munch, The Scream was stolen3 • Thieves demanded $1 million, gallery refused, painting recovered in a police sting • Painting re-stolen in 2004 • In 1978, Chaplin's grave was robbed and coffin taken4 • Widow refused to pay, said Chaplin would have laughed at the events • Corpse was later found lying in a cornfield

  9. Ransom is not new • Ransom is as old as mankind • Follows a familiar format of taking something of value or irreplaceable • Threaten to deny access or destroy the item • No guarantees in a ransom situation • Sometimes you pay & get item returned • Sometimes you pay & item not returned • Sometimes you don’t pay and item lost

  10. What is Ransomware? Resources, such as files, are made unavailable to the rightful owner Typically this is done by encrypting the files and removing the originals To decrypt the files a ransom must be paid The promise is upon payment the decryption key is provided This greatly extends the reach, speed, & breadth of ransom

  11. Ransomware Example

  12. Ransomware Today - Hospitals • February 2016, Los Angeles - Hollywood Presbyterian Hospital medical records system held hostage via ransomware6 • Demands 40 Bitcoins worth approximately $17,000 • March 2016, Henderson Kentucky - Methodist Hospital attacked7 • Demands 4 BitCoins, approximately $1,700 • May 2016, Wichita – Kansas Heart Hospital8 • Demanded an undisclosed amount

  13. CryptoDrop - Contributions Develop an early-warning system for Ransomware Identify 3 primary indicators to detect malicious file changes Perform extensive analysis of encrypting ransomware to date Not all contributions are of equal value. We will address 2, then 3, then 1.

  14. Methodology – Look for Effect • Most malware & IDS detect signatures • Known bad file & process names • Performing known bad activities, e.g. CPU usage, process spawning, etc. • CryptoDrop instead looks for results of typical ransomware activities • Files being encrypted, renamed, or deleted • Not intended to prevent all file loss but instead to mitigate loss • Designed to be effective when 1st line of defense fails and ransomware installs & starts to execute

  15. Question • Q) If CryptoDrop is not designed to prevent the initial infection and all file loss, aren’t some files going to be lost? • A) Yes, potentially. Let’s see how many files are lost. • Remember existing defenses are designed to prevent infection but are an all-or-nothing bet. • CryptoDrop provides a 2nd layer of defense to mitigate losses.

  16. Similarities in Ransonware “The signature behavior of ransomware is its encryption of the victim’s data. Ransomware mustread the original data, write encrypted data, and remove the original data to complete this transformation.” Detecting calls to encryption libraries alone is not sufficient as many variants implement their own versions of these algorithms. The specific activities that ransomware performs can be refined into three classes

  17. 3 Classes of Ransomware Class A – Overwrite Files In Place- Overwrites the contents of the original file by opening the file, reading its contents, writing the encrypted contents in-place, then closing the file. It may optionally rename the file. Class B – Moves Files- Extends Class A, with the addition that the malware moves the file out of the user’s documents directory (e.g., into a temporary directory). It then reads the contents, writes the encrypted contents, then moves the file back to the user’s directory. Class C – Creates New File- Reads the original file, then creates a new, independent file containing the encrypted contents and deletes or overwrites (via a move) the original file. This class uses two independent access streams to read and write the data.

  18. Files going from Usable to Unusable • Indicator 1 – File Type Changes • Indicator 2 – Similarity Measurement • Range 0 to 100 • Indicator 3 – Shannon Entropy • Range 0 to 8

  19. Indicator 1 – File Type Changes • Files contain internal markers or structure indicating their type • E.g. indicating “Word 2007”, “PDF”, or simply “UTF-8” • Alone, single file type change is not necessarily malicious • When file types are changed on a large scale, this indicates a possible ransomware attack • Uses the File utility, which comes with hundreds of built in file type definitions

  20. Indicator 2 – Similarity Measurement • Typically, a file before-saving & after-saving has changed very little • One reason for this is due to auto-save features of many programs • A type of hash exists called a Similarity Digest or Fuzzy Hashing, that preserves some information about the underlying document • Replacing a file’s content with ciphertext is entirely different from the original content and is indicative of a ransomware attack • Using SDHash, a hash score of 100 (similar) to 0 (dissimilar) can be computed

  21. Indicator 3 - Shannon Entropy Score • Encrypted files have Entropy Scores that approach the upper limit of 8 • In cipher text each next byte has a uniform probability of occurring • That is, there is no predictability or pattern in the ciphertext Example: https://www.youtube.com/watch?v=R4OlXb9aTvQ

  22. Union & Secondary Indicators • Focus on programs that trigger the union of all 3 indicators • Benign programs may trigger single indicators but not all 3 • Union Reduces False Positives • Malicious programs trigger all 3 indicators • Union Reduces False Negatives • Secondary Indicators • Excessive deletions – Especially Class A ransomware • File type funneling – Changing all files to a single type

  23. Contributions • Develop an early-warning system for Ransomware • Identify 3 primary indicators to detect malicious file changes • Perform extensive analysis of encrypting ransomware to date This satisfies our 2nd contribution, results will determine if the indicators provide satisfaction for the 1st contribution

  24. Testing CryptoDrop Test bed includes 5,099 files in 511 directories Originally 2,663 programs labeled as ransomware were executed 2,171 programs found to be inert and modified no files Remaining 492 programs were then classified into variants of 14 different ransomware families

  25. Testing CryptoDrop • See Demo http://www.cryptodrop.org/docs/cryptodrop-demo.mp4

  26. Results All 492 ransomware programs were detected & stopped Maximum of 33 files encrypted in a single test Minimum of 0 files encrypted in a single test Median number of files lost was 10, or 0.2%

  27. Value of the Union Indicator All malware programs exhibited some of the indicators Some benign programs also exhibited some of the 3 indicators Nearly all malware programs exhibited all 3 indicators & therefore the Union indicator None of the benign programs exhibited all 3 indicators and therefore the Union indicator The Union indicator effectively eliminated False Positives

  28. Contributions • Develop an early-warning system for Ransomware • Identify 3 primary indicators to detect malicious file changes • Perform extensive analysis of encrypting ransomware to date Results satisfies the 1st contribution as ransomware was detected early

  29. Analysis - Inside the Numbers Based on the nature of the attacks, the 492 malware programs were grouped into 14 distinct malware families Class B attacks had the highest number of files lost because they attacked the smallest files first 93% of attacks had at least one union indicator 63 of the Class C attacks evaded union detection by writing to new files, 41 of these later triggered union detection when overwriting files & remaining 22 were caught due to high entropy.

  30. Results Breakdown

  31. Contributions • Develop an early-warning system for Ransomware • Identify 3 primary indicators to detect malicious file changes • Perform extensive analysis of encrypting ransomware to date Analysis of 14 different ransomware families satisfies 3rd contribution

  32. Q) Why Were So Few Files Lost?

  33. A) Files are not encrypted 1-by-1 TeslaCrypt performs a depth-first encryption process, files are accessed in upper directories, leading to detection, then encrypting in deep directory CTB-Locker processed files in size-order, smallest to largest, across multiple directories. This proved most successful with highest number of files lost Gpcode (Class C) was unable to delete test files marked Read-Only. Also this family was detected by the single indicator of high Entropy between Read & Write

  34. Conclusion & Recap Ransomware is a growing problem and current defenses are not always effective CryptoDrop offers a highly effective 2nd line of defense CryptoDrop meet all 3 of its proposed contributions • Key indicators of ransomware were identified • A successful early detection system was implemented • A detailed catalog of different types of ransomware was assembled to facilitate future research Achieved primarily by altering the normal signature based means of identifying malware and focusing on indicative behavior

  35. CrytoDrop in the Press https://fightransomware.com/ransomware-articles/cryptodrop-early-detection-system-helps-spot-malware-trouble/ http://www.scmagazine.com/florida-researchers-claim-to-discover-cure-for-the-common-ransomware/article/509179/ http://www.infosecurity-magazine.com/news/cryptodrop-spots-stops-ransomware/ https://securityintelligence.com/news/cryptodrop-stops-ransomware-by-stopping-its-encryption/ https://www.ipswitch.com/blog/cryptodrop-prevent-ransomware-attacks-stopping-encryption-early/

More Related