350 likes | 366 Views
CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data by Scaife , Carter, Traynor , & Butler. Rick Stroud CSCE 813 26 August 2016. Agenda. Introduction & Format Context – Historical & Present Proposed Contributions of CryptoDrop Methodology Results Conclusion.
E N D
CryptoLock (and Drop It):Stopping Ransomware Attacks on User Databy Scaife, Carter, Traynor, & Butler Rick Stroud CSCE 813 26 August 2016
Agenda Introduction & Format Context – Historical & Present Proposed Contributions of CryptoDrop Methodology Results Conclusion
Introduction & Format • Rick Stroud • Apogee Student in the Cyber Certificate Program • I work for National Cash Register (NCR), maker of ATMs • I will have some questions for you during the presentation
Q) What do these all have in common? King Richard the Lionhearted
Q) What do these all have in common? King Richard the Lionhearted The Lindbergh Baby
Q) What do these all have in common? King Richard the Lionhearted The Lindbergh Baby The painting “The Scream”
Q) What do these all have in common? King Richard the Lionhearted The Lindbergh Baby The Painting “The Scream” Charlie Chaplin’s Corpse
A) All Were Held for Ransom • In 1193, while returning from the Crusades, King Richard held captive1 • Released when 100,000 pounds of silver was paid, 3x the income of all England • In 1932, the child of aviator Charles Lindbergh was kidnapped2 • Ransom was paid but the body of the child was found dead • In 1994, the painting by Edvard Munch, The Scream was stolen3 • Thieves demanded $1 million, gallery refused, painting recovered in a police sting • Painting re-stolen in 2004 • In 1978, Chaplin's grave was robbed and coffin taken4 • Widow refused to pay, said Chaplin would have laughed at the events • Corpse was later found lying in a cornfield
Ransom is not new • Ransom is as old as mankind • Follows a familiar format of taking something of value or irreplaceable • Threaten to deny access or destroy the item • No guarantees in a ransom situation • Sometimes you pay & get item returned • Sometimes you pay & item not returned • Sometimes you don’t pay and item lost
What is Ransomware? Resources, such as files, are made unavailable to the rightful owner Typically this is done by encrypting the files and removing the originals To decrypt the files a ransom must be paid The promise is upon payment the decryption key is provided This greatly extends the reach, speed, & breadth of ransom
Ransomware Today - Hospitals • February 2016, Los Angeles - Hollywood Presbyterian Hospital medical records system held hostage via ransomware6 • Demands 40 Bitcoins worth approximately $17,000 • March 2016, Henderson Kentucky - Methodist Hospital attacked7 • Demands 4 BitCoins, approximately $1,700 • May 2016, Wichita – Kansas Heart Hospital8 • Demanded an undisclosed amount
CryptoDrop - Contributions Develop an early-warning system for Ransomware Identify 3 primary indicators to detect malicious file changes Perform extensive analysis of encrypting ransomware to date Not all contributions are of equal value. We will address 2, then 3, then 1.
Methodology – Look for Effect • Most malware & IDS detect signatures • Known bad file & process names • Performing known bad activities, e.g. CPU usage, process spawning, etc. • CryptoDrop instead looks for results of typical ransomware activities • Files being encrypted, renamed, or deleted • Not intended to prevent all file loss but instead to mitigate loss • Designed to be effective when 1st line of defense fails and ransomware installs & starts to execute
Question • Q) If CryptoDrop is not designed to prevent the initial infection and all file loss, aren’t some files going to be lost? • A) Yes, potentially. Let’s see how many files are lost. • Remember existing defenses are designed to prevent infection but are an all-or-nothing bet. • CryptoDrop provides a 2nd layer of defense to mitigate losses.
Similarities in Ransonware “The signature behavior of ransomware is its encryption of the victim’s data. Ransomware mustread the original data, write encrypted data, and remove the original data to complete this transformation.” Detecting calls to encryption libraries alone is not sufficient as many variants implement their own versions of these algorithms. The specific activities that ransomware performs can be refined into three classes
3 Classes of Ransomware Class A – Overwrite Files In Place- Overwrites the contents of the original file by opening the file, reading its contents, writing the encrypted contents in-place, then closing the file. It may optionally rename the file. Class B – Moves Files- Extends Class A, with the addition that the malware moves the file out of the user’s documents directory (e.g., into a temporary directory). It then reads the contents, writes the encrypted contents, then moves the file back to the user’s directory. Class C – Creates New File- Reads the original file, then creates a new, independent file containing the encrypted contents and deletes or overwrites (via a move) the original file. This class uses two independent access streams to read and write the data.
Files going from Usable to Unusable • Indicator 1 – File Type Changes • Indicator 2 – Similarity Measurement • Range 0 to 100 • Indicator 3 – Shannon Entropy • Range 0 to 8
Indicator 1 – File Type Changes • Files contain internal markers or structure indicating their type • E.g. indicating “Word 2007”, “PDF”, or simply “UTF-8” • Alone, single file type change is not necessarily malicious • When file types are changed on a large scale, this indicates a possible ransomware attack • Uses the File utility, which comes with hundreds of built in file type definitions
Indicator 2 – Similarity Measurement • Typically, a file before-saving & after-saving has changed very little • One reason for this is due to auto-save features of many programs • A type of hash exists called a Similarity Digest or Fuzzy Hashing, that preserves some information about the underlying document • Replacing a file’s content with ciphertext is entirely different from the original content and is indicative of a ransomware attack • Using SDHash, a hash score of 100 (similar) to 0 (dissimilar) can be computed
Indicator 3 - Shannon Entropy Score • Encrypted files have Entropy Scores that approach the upper limit of 8 • In cipher text each next byte has a uniform probability of occurring • That is, there is no predictability or pattern in the ciphertext Example: https://www.youtube.com/watch?v=R4OlXb9aTvQ
Union & Secondary Indicators • Focus on programs that trigger the union of all 3 indicators • Benign programs may trigger single indicators but not all 3 • Union Reduces False Positives • Malicious programs trigger all 3 indicators • Union Reduces False Negatives • Secondary Indicators • Excessive deletions – Especially Class A ransomware • File type funneling – Changing all files to a single type
Contributions • Develop an early-warning system for Ransomware • Identify 3 primary indicators to detect malicious file changes • Perform extensive analysis of encrypting ransomware to date This satisfies our 2nd contribution, results will determine if the indicators provide satisfaction for the 1st contribution
Testing CryptoDrop Test bed includes 5,099 files in 511 directories Originally 2,663 programs labeled as ransomware were executed 2,171 programs found to be inert and modified no files Remaining 492 programs were then classified into variants of 14 different ransomware families
Testing CryptoDrop • See Demo http://www.cryptodrop.org/docs/cryptodrop-demo.mp4
Results All 492 ransomware programs were detected & stopped Maximum of 33 files encrypted in a single test Minimum of 0 files encrypted in a single test Median number of files lost was 10, or 0.2%
Value of the Union Indicator All malware programs exhibited some of the indicators Some benign programs also exhibited some of the 3 indicators Nearly all malware programs exhibited all 3 indicators & therefore the Union indicator None of the benign programs exhibited all 3 indicators and therefore the Union indicator The Union indicator effectively eliminated False Positives
Contributions • Develop an early-warning system for Ransomware • Identify 3 primary indicators to detect malicious file changes • Perform extensive analysis of encrypting ransomware to date Results satisfies the 1st contribution as ransomware was detected early
Analysis - Inside the Numbers Based on the nature of the attacks, the 492 malware programs were grouped into 14 distinct malware families Class B attacks had the highest number of files lost because they attacked the smallest files first 93% of attacks had at least one union indicator 63 of the Class C attacks evaded union detection by writing to new files, 41 of these later triggered union detection when overwriting files & remaining 22 were caught due to high entropy.
Contributions • Develop an early-warning system for Ransomware • Identify 3 primary indicators to detect malicious file changes • Perform extensive analysis of encrypting ransomware to date Analysis of 14 different ransomware families satisfies 3rd contribution
A) Files are not encrypted 1-by-1 TeslaCrypt performs a depth-first encryption process, files are accessed in upper directories, leading to detection, then encrypting in deep directory CTB-Locker processed files in size-order, smallest to largest, across multiple directories. This proved most successful with highest number of files lost Gpcode (Class C) was unable to delete test files marked Read-Only. Also this family was detected by the single indicator of high Entropy between Read & Write
Conclusion & Recap Ransomware is a growing problem and current defenses are not always effective CryptoDrop offers a highly effective 2nd line of defense CryptoDrop meet all 3 of its proposed contributions • Key indicators of ransomware were identified • A successful early detection system was implemented • A detailed catalog of different types of ransomware was assembled to facilitate future research Achieved primarily by altering the normal signature based means of identifying malware and focusing on indicative behavior
CrytoDrop in the Press https://fightransomware.com/ransomware-articles/cryptodrop-early-detection-system-helps-spot-malware-trouble/ http://www.scmagazine.com/florida-researchers-claim-to-discover-cure-for-the-common-ransomware/article/509179/ http://www.infosecurity-magazine.com/news/cryptodrop-spots-stops-ransomware/ https://securityintelligence.com/news/cryptodrop-stops-ransomware-by-stopping-its-encryption/ https://www.ipswitch.com/blog/cryptodrop-prevent-ransomware-attacks-stopping-encryption-early/