Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
What are the most clever ransomware techniques that you have seen?
Message
<blockquote data-quote="struppigel" data-source="post: 929604" data-attributes="member: 86910"><p>I can tell you that one. If companies are targeted, the criminals gain access to the systems<strong> prior </strong>to installing ransomware. The spend weeks gaining foothold, moving laterally, stealing data, deleting backups and they disable security software. Only after that they deploy the ransomware to encrypt everything.</p><p></p><p>On consumer systems the vast majority of ransomware infections arrive via pirated software on systems that have their antivirus disabled (because many AVs detect cracks, patches, keygens etc). E.g., on <a href="https://id-ransomware.malwarehunterteam.com/" target="_blank">id-ransomware</a> as well as in the UNITE forums approximately 2/3 of the ransomware infection requests are for <strong>STOP/DJVU ransomware</strong> which is almost exclusively distributed via cracks and pirated software.</p><p></p><p>I am not saying that these ransomware threat actors couldn't bypass antivirus if they wanted. I am saying, they don't have to for being successful.</p><p></p><p>Generally, ransomware is the last malware in the infection chain, and only appears after the system has already been compromised by other malware. That's just natural because ransomware is by its very nature visible to the user whereas other malware preferably stays hidden. An attacker looses access to that system after deploying ransomware because the user will get aware of the infection.</p><p></p><p>For any defender it makes more sense to concentrate on protection for the start of the infection chain than the end.</p><p>Or in case of companies to secure their infrastructure.</p><p></p><p></p><p></p><p>This question is not ransomware specific anymore as it pertains to all kinds of malware.</p><p></p><p>It is not as easy as you imagine. Many smart people are working on that, writing papers, doing research, inventing new detection mechanisms.</p><p>But detection of malware is a difficult problem because it is <strong>not possible to do perfectly</strong>. This has been mathematically proven by Fred Cohen. You can read that up in <a href="https://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohen-viruses.html" target="_blank">this paper </a>or see a short version in <a href="https://youtu.be/gvo0guTh2DM" target="_blank">this video</a>.</p><p></p><p>Years ago also wrote a proof-of-concept detection engine for my master thesis based on Portable Executable file format anomalies. But I could only get high detection rates if I accepted a certain rate of false positives.</p><p>I still remember very clearly how I talked to a malware analyst about this very topic (Ange Albertini, my thesis was based on his work) and asked him what false positive rate would be acceptable. I was taken aback by his response: <strong>He said 0%!</strong></p><p>This was not possible. The detection rate plummeted to like 20% if I only attempted that whereas it was like above 90% with a fairly small false positive rate before.</p><p>But the reality is: For antivirus software, only 0% is acceptable.</p><p></p><p>It is easy to point to antivirus software and say I could do it better because, e.g., PEStudio has flagged this sample and hybrid-analysis has flagged that sample, while those systems never have to deal with any repercussions if they flag something that's legit.</p><p></p><p>With that said, I don't know how easy it is to write malware that is undetected. However, in most cases that's not the goal. The goal of an attacker is to<strong> stay undetected for a long period of time</strong> so you don't have to rewrite everything every other week. I doubt that this is so easy since there are criminals and criminal organizations working on quite complicated techniques to achieve that.</p><p>I can imagine it is fairly easy to write an entirely new malware that no one detects the first time you deploy it. I cannot imagine the same for staying undetected for weeks or months.</p><p></p><p>I also believe many people confuse a zero detection rate on Virustotal (or any other multiscanner) with being undetected by all those antivirus products. The AV testers here on MalwareTips will confirm that this is not the case.</p><p></p><hr /><p></p><p>Edit: I found the relevant part of the thesis. You can see that even if you accept that the detection rate plummets from 98.47% down to 37.80%, the false positive rate is still at 0.15% percent, which is too much (note: on the graph plot it looks like 0% at the end which is why I attached part of the numbers)</p><p></p><p>[spoiler]</p><p>[ATTACH=full]253962[/ATTACH]</p><p></p><p>[ATTACH=full]253963[/ATTACH]</p><p>[/spoiler]</p></blockquote><p></p>
[QUOTE="struppigel, post: 929604, member: 86910"] I can tell you that one. If companies are targeted, the criminals gain access to the systems[B] prior [/B]to installing ransomware. The spend weeks gaining foothold, moving laterally, stealing data, deleting backups and they disable security software. Only after that they deploy the ransomware to encrypt everything. On consumer systems the vast majority of ransomware infections arrive via pirated software on systems that have their antivirus disabled (because many AVs detect cracks, patches, keygens etc). E.g., on [URL='https://id-ransomware.malwarehunterteam.com/']id-ransomware[/URL] as well as in the UNITE forums approximately 2/3 of the ransomware infection requests are for [B]STOP/DJVU ransomware[/B] which is almost exclusively distributed via cracks and pirated software. I am not saying that these ransomware threat actors couldn't bypass antivirus if they wanted. I am saying, they don't have to for being successful. Generally, ransomware is the last malware in the infection chain, and only appears after the system has already been compromised by other malware. That's just natural because ransomware is by its very nature visible to the user whereas other malware preferably stays hidden. An attacker looses access to that system after deploying ransomware because the user will get aware of the infection. For any defender it makes more sense to concentrate on protection for the start of the infection chain than the end. Or in case of companies to secure their infrastructure. This question is not ransomware specific anymore as it pertains to all kinds of malware. It is not as easy as you imagine. Many smart people are working on that, writing papers, doing research, inventing new detection mechanisms. But detection of malware is a difficult problem because it is [B]not possible to do perfectly[/B]. This has been mathematically proven by Fred Cohen. You can read that up in [URL='https://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohen-viruses.html']this paper [/URL]or see a short version in [URL='https://youtu.be/gvo0guTh2DM']this video[/URL]. Years ago also wrote a proof-of-concept detection engine for my master thesis based on Portable Executable file format anomalies. But I could only get high detection rates if I accepted a certain rate of false positives. I still remember very clearly how I talked to a malware analyst about this very topic (Ange Albertini, my thesis was based on his work) and asked him what false positive rate would be acceptable. I was taken aback by his response: [B]He said 0%![/B] This was not possible. The detection rate plummeted to like 20% if I only attempted that whereas it was like above 90% with a fairly small false positive rate before. But the reality is: For antivirus software, only 0% is acceptable. It is easy to point to antivirus software and say I could do it better because, e.g., PEStudio has flagged this sample and hybrid-analysis has flagged that sample, while those systems never have to deal with any repercussions if they flag something that's legit. With that said, I don't know how easy it is to write malware that is undetected. However, in most cases that's not the goal. The goal of an attacker is to[B] stay undetected for a long period of time[/B] so you don't have to rewrite everything every other week. I doubt that this is so easy since there are criminals and criminal organizations working on quite complicated techniques to achieve that. I can imagine it is fairly easy to write an entirely new malware that no one detects the first time you deploy it. I cannot imagine the same for staying undetected for weeks or months. I also believe many people confuse a zero detection rate on Virustotal (or any other multiscanner) with being undetected by all those antivirus products. The AV testers here on MalwareTips will confirm that this is not the case. [HR][/HR] Edit: I found the relevant part of the thesis. You can see that even if you accept that the detection rate plummets from 98.47% down to 37.80%, the false positive rate is still at 0.15% percent, which is too much (note: on the graph plot it looks like 0% at the end which is why I attached part of the numbers) [spoiler] [ATTACH type="full"]253962[/ATTACH] [ATTACH type="full"]253963[/ATTACH] [/spoiler] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
