- Create and test the ransomware
- Buy and set up anonymous C2 web servers
- Purchase or develop a way to distribute it
- Recruit and orchestrate money mules to cash out the paid ransom
Malware Paranoia 101There are many conventional defenses that should protect us from the “products” of cybercrime enterprises – firewalls, AVs and others. Those are not bad in handling most of the threats most of the time, yet attackers need to find only a single hole – and it is a doable task if they do their homework. So, what can be done in response? I believe in combining traditional and innovative solutions hand-in-hand with the aforementioned ones. And by innovative, I do not mean more of the same “new technologies” that still have the same issues with attackers adapting to their signatures (or classifiers…). What I believe to be a true paradigm shift is vaccination. I define it as creating indicators that cause malware to avoid specific endpoints due to its hard-coded logic, as opposed to when there is a man behind the malware. (Due disclosure: I am working for a company implementing a commercial vaccination product). I identify five different “fear classes” of malware that can be used against it to vaccinate an endpoint:
- Automatic analysis environments – e.g. sandboxes
- Malware analysts – debugging, decompiling and sniffing it
- Security products – malware creators check prior to the attack how they perform against AVs. If they evade 95 percent of them, they will simply terminate if the remaining 5 percent are detected before deploying the main payload.
- Themselves – most malware won’t infect the same machine twice. Consider the unwanted scenario where ransomware has two running instances, for example.
- Target audience – sometimes malware will simply avoid or on the contrary focus specific “target audience.” For example, the original Petya ransomware won’t infect endpoints if you have a Cyrillic keyboard or Russian IP.
- Static artifacts – files, folders and registry keys\values, hostname, e.g. the file C:\Widnows\System32\VBoxMRXNP.dll, associated with Oracle’s VirtualBox VM infrastructure
- Dynamic artifacts – running processes, opened windows, mutexes, logged in user, e.g. the process wireshark.exe
- Low-level indicators – abusing x86 instructions, race conditions, and special locations of artifacts in the memory when running a VM. Joanna Rutkowska’s Red Pill is the best example for such technique.
DIY VaccinationEmulating a VM for low-level x86 tricks is complex, but it is an overkill. Most malware will perform lengthy list of tests and will avoid the more suspicious ones anyway. One may create the impression that VM indicators are present on an endpoint simply by creating some files or rename cmd.exe and run a dozen of those instances renamed as “wireshark.exe.” When a malware tests if indicators for a hostile environment are present, it will find the fake files, folders and other artifacts created by the defender and terminate. I have written and released an open source tool which performs this, freely available here: https://github.com/G4lB1t/Need-less It includes a collection of static and dynamic indicators that were proved as real life-savers in the fight against malware. Creating these artifacts can prevent a wide range of threats – not only ransomware but also exploit kits, RATs, banking Trojans, and other malware types.
Money, Time and Types of ActorsAs discussed above, creating cleverly crafted indicators deters cyber crooks but is it effective against other types of actors? Is it effective against state-sponsored adversaries, as well? And against your friendly-neighborhood-script-kiddie? There is no single answer to this question. Instead, we should ask ourselves about the motivations and skill-set of an attacker. In the case of well-funded state-sponsored actor, unlike cybercriminals, money and profit are no longer an issue. However, other factors may influence their decision making – making vaccination effective against them, as well:
- Time – a resource that even money can’t buy. State-sponsored APT requires considerable time to properly develop, test and deploy. If it will be quickly detected and analyzed, its creators won’t be able to collect intelligence from their target or to develop their next generation of malware.
- Foreign affairs – the DNC hack is a good example for a case where even a superpower tried to deny any link to a cyber-attack for political reasons. To this day, Russia denies any link to the Cozy and Fancy Bear APT campaign, preventing major deterioration in the already fragile relations with the United States.