Crypto-Ransomware Behaviour On Infected Machine

By | Wira Zanoramy Ansiry Bin Zakaria

Crypto-ransomware is a type of malware that encrypts the files of a user. The intruder then requests a ransom from the victim to restore access to the data upon payment. Users are given instructions on how to pay a fee to get a decryption key. Costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.

Crypto-ransomware uses many forms of infection vectors to infect a machine. One of the most popular distribution mechanisms is phishing spam — an attachment that comes to the victim in an email, masquerading as a file they can trust. If downloaded and opened, they can take over the victim’s device, particularly if they have built-in social engineering tools that trick users into allowing administrative access. Other more violent types of ransomware (such as NotPetya) exploit security holes to infect machines without needing to trick users.

Ransomware has been found to use standard cryptographic algorithms. This made the production of ransomware a relatively small endeavour, as these libraries are already available. Poorly crafted ransomware has also been effective as they use scare tactics on victims who would still pay the ransom [1].

Listed below are the behaviours of a crypto- ransomware on an infected machine:

1. Contacting command and control (C&C) server and cryptographic key exchange
   When contacting their C&C servers using secure protocol, crypto-ransomware hides its network communication through the use of compromised web proxy servers. The exchange of cryptographically generated key was implemented securely using Transport Layer Security Version-1 (TLSv1) protocols [1].
   
   
2. Encryption of Targeted Files
   Encryption is an essential characteristic of crypto-ransomware. It encrypts files with targeted extensions and changes the extension’s current name to other names.
   
   
3. File Search and Enumeration
   Crypto-ransomware displays a typical behaviour, which is the enumeration of all interesting files on the computer. It is a plausible feature for ransomware detection and classification [3].
   
   
4. Delete Backup Files Additional operations may be performed to frustrate recoverability. Ransomware could, in some cases, delete shadow copies that contain old copies of files [4]. For example, ransomware family TeslaCrypt disables and removes the Windows volume shadow copies, and other variants to wipe out the disk’s free space. This operation is performed to avoid recoverability on the victim’s side [5]. For example, Cerber ransomware escalates its privileges to administrator level, after which it deletes shadow copies. Ransomware deletes multiple files from the infected machine. This trait is clear evidence that it is either ransomware, wiper malware, or system destruction malware. The ransomware developer wants to ensure that the victim cannot recover the encrypted files without paying the ransom [1].
   
   
5. Terminating Selected Active Processes Some ransomware terminates the running processes of productivity applications such as Microsoft Office, databases, and antiviruses.
   
   
6. Generating Cryptographic Key
   Ransomware uses Windows APIs to generate the cryptographic key. An asymmetric key generation algorithm is employed to create a secure key used to encrypt files in the infected system. The generated key is shared with the attacker’s C&C server.
   
   
7. Hidden TOR Browser
   Ransomware has been known to use the Tor browser to maintain its anonymity, making it challenging to discover the source of the attack. For example, WannaCry ransomware dumped Tor links in the memory. Later, through the ransom-note, the victim will be instructed on how to use the provided Tor link to download and install the Tor browser. Henceforth, the victim will be required to use the Tor browser for any other communication with the attacker [1].
   
   
8. Moving and Appending New File Extensions
   Ransomware performs write, move, delete, and rename the encrypted files by appending a new file extension over the existing extension. In the case of WannaCry ransomware, the appended file extension was .WNCCRY [1].
   
   
9. Payload Persistence
   This action is to ensure that the attack remains persistent even after the system is rebooted. Standard techniques include placing an executable file in the start-up directory, adding a new registry key, and setting a scheduled task [2].
   
   
10. Restrict System Restore
    This action is to prevent the victim from restoring the system to the pre-infection state. Commonly used techniques are deleting a scheduled backup and deleting backup files [2].
    
    
11. Stealth Mode
    This action is to prevent the attack from being visible to the victim. Common approaches are executing from %AppData% directory and using the same name as the standard system executable [2].
    
    
12. Environment Mapping
    This trait ensures that the infection is actually in the victim’s system and not in a sandbox. A sandbox is a typical setup for the dynamic analysis of malware. Standard techniques used include checking the security setting and policies, geographical location, user language, file system architecture, and network drives.
    
    
13. Privilege Elevation
    This action will enable the attacker to perform actions as an administrator. The administrator can only perform system- related actions. Therefore, elevating to administrator level will ensure all activities can be performed without restriction [2]. In conclusion, a thorough examination of crypto- ransomware activity will help anti-ransomware researchers build a framework to detect and eradicate an impending ransomware attack.
    

References

1. S. Kihiu and E. Abade, “Comparative Analysis of Distinctive Features of the Ransomware Tactics in Relation to Other Malware Comparative Analysis of Distinctive Features of the Ransomware Tactics in Relation to Other Malware,” no. July, 2020.
   
2. S. H. Kok, A. Abdullah, N. Z. Jhanjhi, and M. Supramaniam, “Ransomware, Threat and Detection Techniques: A Review,” IJCSNS Int.J. Comput. Sci. Netw. Secur., vol. 19, no. 2, pp. 136–146, 2019.
   
3. R. Moussaileb, B. Bouget, A. Palisse, H. Le Bouder, N. Cuppens, and J.-L. Lanet, “Ransomware’s Early Mitigation Mechanisms,” 2018, pp. 1–10.
   
4. U. Adamu and I. Awan, “Ransomware Prediction Using Supervised Learning Algorithms,” 2019.
   
5. N. Scaife, H. Carter, P. Traynor, and K. R. B. Butler, “CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data,” Proc. Int. Conf. Distrib. Comput. Syst., vol. 2016-Augus, pp. 303–312, 2016.