Q&A What are the most clever ransomware techniques that you have seen?

danb

From VoodooShield
Verified
Developer
May 31, 2017
891
In the interest of full disclosure, I only ask because I am not too familiar with all of the various ransomware techniques, I just started working with ransomware detection two weeks ago. Either way, I think this might be an interesting discussion. For example, a lot of products utilize bait files, but that method is soooo easy to bypass, you just simply randomize the files you encrypt.

Anyway, I think I might have stumbled on to a really cool new mechanism, and unless I am completely missing something, this might be a new HIGHLY effective mechanism to combat ransomware, which is included in the product I have been talking about soon to be know as DataDefender.

So, what are the most clever ransomware techniques that you have seen?

Thank you guys!
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
891
Thank you guys.... I guess what I am asking is what techniques should I be aware of that can bypass any given antiransom mechanism? I mean, it is simple to bypass bait files, but is there some technique that is difficult to detect?
 

SecureKongo

Level 21
Verified
Malware Tester
Feb 25, 2017
1,047

danb

From VoodooShield
Verified
Developer
May 31, 2017
891
I am sorry but I have to decline this request. Out of ethical reasons and due to working for an AV company as a defender I will not teach anyone how to bypass AV products.
I am sorry, I was not clear enough. I am not asking anyone to teach people how to bypass cybersecurity products.

Having said that, I do not like the fact that security researchers must publicly disclose vulnerabilities any more than you do, but the reality is that it is the only way to figure out why our current detection methods are failing, so we can fix them. And this is actually not even what I am asking.

What I am asking is simply “Why do the current antiransom detection mechanisms fail?”

It is incredibly easy to write malware that will bypass most or all of the current antiransom detection mechanisms, so I am curious why they fail.

There are a lot of smart people working on the ransomware problem and it should have been solved a long time ago.
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
407
What I am asking is simply “Why do the current antiransom detection mechanisms fail?”

I can tell you that one. If companies are targeted, the criminals gain access to the systems prior to installing ransomware. The spend weeks gaining foothold, moving laterally, stealing data, deleting backups and they disable security software. Only after that they deploy the ransomware to encrypt everything.

On consumer systems the vast majority of ransomware infections arrive via pirated software on systems that have their antivirus disabled (because many AVs detect cracks, patches, keygens etc). E.g., on id-ransomware as well as in the UNITE forums approximately 2/3 of the ransomware infection requests are for STOP/DJVU ransomware which is almost exclusively distributed via cracks and pirated software.

I am not saying that these ransomware threat actors couldn't bypass antivirus if they wanted. I am saying, they don't have to for being successful.

Generally, ransomware is the last malware in the infection chain, and only appears after the system has already been compromised by other malware. That's just natural because ransomware is by its very nature visible to the user whereas other malware preferably stays hidden. An attacker looses access to that system after deploying ransomware because the user will get aware of the infection.

For any defender it makes more sense to concentrate on protection for the start of the infection chain than the end.
Or in case of companies to secure their infrastructure.

It is incredibly easy to write malware that will bypass most or all of the current antiransom detection mechanisms, so I am curious why they fail.

There are a lot of smart people working on the ransomware problem and it should have been solved a long time ago.

This question is not ransomware specific anymore as it pertains to all kinds of malware.

It is not as easy as you imagine. Many smart people are working on that, writing papers, doing research, inventing new detection mechanisms.
But detection of malware is a difficult problem because it is not possible to do perfectly. This has been mathematically proven by Fred Cohen. You can read that up in this paper or see a short version in this video.

Years ago also wrote a proof-of-concept detection engine for my master thesis based on Portable Executable file format anomalies. But I could only get high detection rates if I accepted a certain rate of false positives.
I still remember very clearly how I talked to a malware analyst about this very topic (Ange Albertini, my thesis was based on his work) and asked him what false positive rate would be acceptable. I was taken aback by his response: He said 0%!
This was not possible. The detection rate plummeted to like 20% if I only attempted that whereas it was like above 90% with a fairly small false positive rate before.
But the reality is: For antivirus software, only 0% is acceptable.

It is easy to point to antivirus software and say I could do it better because, e.g., PEStudio has flagged this sample and hybrid-analysis has flagged that sample, while those systems never have to deal with any repercussions if they flag something that's legit.

With that said, I don't know how easy it is to write malware that is undetected. However, in most cases that's not the goal. The goal of an attacker is to stay undetected for a long period of time so you don't have to rewrite everything every other week. I doubt that this is so easy since there are criminals and criminal organizations working on quite complicated techniques to achieve that.
I can imagine it is fairly easy to write an entirely new malware that no one detects the first time you deploy it. I cannot imagine the same for staying undetected for weeks or months.

I also believe many people confuse a zero detection rate on Virustotal (or any other multiscanner) with being undetected by all those antivirus products. The AV testers here on MalwareTips will confirm that this is not the case.



Edit: I found the relevant part of the thesis. You can see that even if you accept that the detection rate plummets from 98.47% down to 37.80%, the false positive rate is still at 0.15% percent, which is too much (note: on the graph plot it looks like 0% at the end which is why I attached part of the numbers)

stats.png


stats2.png
 
Last edited:

danb

From VoodooShield
Verified
Developer
May 31, 2017
891
I can tell you that one. If companies are targeted, the criminals gain access to the systems prior to installing ransomware. The spend weeks gaining foothold, moving laterally, stealing data, deleting backups and they disable security software. Only after that they deploy the ransomware to encrypt everything.

On consumer systems the vast majority of ransomware infections arrive via pirated software on systems that have their antivirus disabled (because many AVs detect cracks, patches, keygens etc). E.g., on id-ransomware as well as in the UNITE forums approximately 2/3 of the ransomware infection requests are for STOP/DJVU ransomware which is almost exclusively distributed via cracks and pirated software.

I am not saying that these ransomware threat actors couldn't bypass antivirus if they wanted. I am saying, they don't have to for being successful.

Generally, ransomware is the last malware in the infection chain, and only appears after the system has already been compromised by other malware. That's just natural because ransomware is by its very nature visible to the user whereas other malware preferably stays hidden. An attacker looses access to that system after deploying ransomware because the user will get aware of the infection.

For any defender it makes more sense to concentrate on protection for the start of the infection chain than the end.
Or in case of companies to secure their infrastructure.



This question is not ransomware specific anymore as it pertains to all kinds of malware.

It is not as easy as you imagine. Many smart people are working on that, writing papers, doing research, inventing new detection mechanisms.
But detection of malware is a difficult problem because it is not possible to do perfectly. This has been mathematically proven by Fred Cohen. You can read that up in this paper or see a short version in this video.

Years ago also wrote a proof-of-concept detection engine for my master thesis based on Portable Executable file format anomalies. But I could only get high detection rates if I accepted a certain rate of false positives.
I still remember very clearly how I talked to a malware analyst about this very topic (Ange Albertini, my thesis was based on his work) and asked him what false positive rate would be acceptable. I was taken aback by his response: He said 0%!
This was not possible. The detection rate plummeted to like 20% if I only attempted that whereas it was like above 90% with a fairly small false positive rate before.
But the reality is: For antivirus software, only 0% is acceptable.

It is easy to point to antivirus software and say I could do it better because, e.g., PEStudio has flagged this sample and hybrid-analysis has flagged that sample, while those systems never have to deal with any repercussions if they flag something that's legit.

With that said, I don't know how easy it is to write malware that is undetected. However, in most cases that's not the goal. The goal of an attacker is to stay undetected for a long period of time so you don't have to rewrite everything every other week. I doubt that this is so easy since there are criminals and criminal organizations working on quite complicated techniques to achieve that.
I can imagine it is fairly easy to write an entirely new malware that no one detects the first time you deploy it. I cannot imagine the same for staying undetected for weeks or months.

I also believe many people confuse a zero detection rate on Virustotal (or any other multiscanner) with being undetected by all those antivirus products. The AV testers here on MalwareTips will confirm that this is not the case.



Edit: I found the relevant part of the thesis. You can see that even if you accept that the detection rate plummets from 98.47% down to 37.80%, the false positive rate is still at 0.15% percent, which is too much (note: on the graph plot it looks like 0% at the end which is why I attached part of the numbers)

If a bad actor has full access to the system or network then it is game over... of course the ransomware detection mechanism will fail if the bad actor shuts them down.

For purposes of this discussion, it pretty much does not matter where in the attack chain the ransomware fires. It could be at the beginning, in the middle or at the end... what I am asking about is the actual ransomware detection mechanism itself.

For example, one technique to evade detection would be randomize the order that the files are encrypted so that it is less likely to trigger detection on the bait files before a sufficient amount of files are encrypted. I am just curious what other “clever tricks” ransomware utilizes to evade detection while it is executing.

I am extremely familiar with VT ;).
 
  • Like
Reactions: tipo and venustus

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,075
Current ransomware uses SYSTEM rights to do the work, so it can be blocked, by blocking the SYSTEM user. After all, who would do that?! (not to mention getting rid of powershell)


Basically, it starts with WSH/PowerShell using SeDebugPrivilege/SeTcbPrivilege to gain rights and then it is game over.

 
Last edited:
Top