Functional and Behavioral Analysis of Different Type of Ransomware.pptx
1. Functional and Behavioral Analysis of
Different Type of
Ransomware
Beril TÜRKEŞ
Main Supervisor: Cemal YILMAZ
Main Supervisor:
Cemal Yılmaz
2. Outline
• Introduction
• Evolution of Ransomware
• Motivation
• Ransomware Scope
• Methodology
• Deploying Analysis Environment
• Determining Indicators
• Analyzing Phase
• Additional Work
• Evaluation
• Results
11.8.2022 Faculty of Engineering and Natural Science 2
3. Introduction
Ransomware: Ransomware is a type
of malicious software/malware that
infects a system and prevent victims’
access to a system or data them their
datas or system until a ransom is paid
to unlock it.
11.8.2022 Faculty of Engineering and Natural Science 3
Table 1: Mindsight report
4. 11.8.2022 Faculty of Engineering and Natural Science 4
Table 2: Securitboulevard report Table 2: Datto’s Global State of the Channel Ransomware Report
Introduction
5. Evolution of Ransomware
The first known incidence of
ransomware is the AIDS Trojan
developed and distributed by Dr.
Joseph Popp in 1989 (Mungo
and Clough 1992). Whilst this is
the first known instance of a
ransomware attack, it required
manual delivery of the malicious
software and physical payment of
the ransom.
11.8.2022 Faculty of Engineering and Natural Science 5
6. Evolution of Ransomware
11.8.2022 Faculty of Engineering and Natural Science 6
Threatens to delete
a number of
files for every hour
the ransom
is not paid.
Arrives as a macro
embedded in
spam attachment,
a new method
identified at that
time.
Delivered via Dropbox;
Boot Record(MBR) of
infected machines and
encrypted physical driver;
ransom doubled if
payment not received in 7
days.
First ransomware to
alow resilliency and
persistence on victim
machines.
Encyrpts files.Biggest
ransomware attack in
history.Infected voer
230,000 computers in
more than 150
countries.Spread
without any user
interaction
Gandcrab is a Ransomware as a
Service (RaaS) which allows any
cybercriminal to utilize the
software to execute attacks.44
GandCrab is spread via malicious
emails where the victim is
prompted to download a zip file
containing the ransomware.
REvil ransomware, also
known as Sodinokibi, was
first discovered in Italy in
May 2019 and is
known as the successor of
GandCrab.REVil is a RaaS
model for distribution and
employs
anti-kill technology to avoid
detection by anti-malware
software.
Maze also steals the data it finds and exfiltrates it
to servers controlled by malicious hackers who
then threaten to release it if a ransom is not paid.
Increasingly, other ransomware (such as REvil,
also known as Sodinokibi) have been observed
using similar tactics.
The Analysis indicates that
GoldenEye/Petya uses the same
EternalBlue exploit employed by
WannaCry to replicate laterally, in what
IT folk refer to as the “worm”
component of the malware.
7. Motivation
Ransomware is a class of malware that has significantly
impacted enterprises and consumers. The aim of
ransomware is making a financial gain that blackmailed
by encrypting the victim’s files or locking the victim’s
systems.
Recent statistics of ransomware shows that damaging
cost by ransomware has been increasing annualy. In this
project, aims to facilitate the detection of ransomware
by dynamically&statically analyzing and classifying the
ransomware behavior.
11.8.2022 Faculty of Engineering and Natural Science 7
8. Ransomware Scope
• Sample selection
• 42 ransomwares was selected to analyze during project period. In this set 11
ransomwares have no decryptor tool in «https://www.nomoreransom.org/» 31 one
of them may be able to decrypt without paying ransom.
11.8.2022 Faculty of Engineering and Natural Science 8
# Ransomwares
1 Fantom
2 Golden Eye
3 Locky
4 Maze
5 Notpetya
6 Petya
7 Pysa
8 Ransomexx
9 Revil
10 Wannacry
11 Lockfile
Table :Unbroken ransomwares
# Ransomwares
12 777 23 Dharma 33 Paradise
13 Alpha 24 DragonCyber 34 Pewcrypt
14 Amnesia 25 Gomasom 35 Puma
15 Annabella 26 Grandcrab 36 Rotor
16 Aurora 27 Jaff 37 Satana
17 Bart 28 Jigsaw (Dolf version) 38 Sava
18 Bigbobross 29 Jigsaw 39 Tesla v1
19 Cerber 30 Mira 40 Thanatos
20 Chimera v2 31 Nemty 41 Zorab
21 Cryptxxx 32 Ouroboros 42 Djvu
22 Darkside
Table :Broken Ransomwares
9. • Collecting Ransomware Binaries
• I collected ransomware binaries using the following sites.
• https://any.run/
• https://github.com/ytisf/theZoo
• https://github.com/Endermanch/MalwareDatabase
• https://www.tutorialjinni.com/
• Orçun Çetin also helped me to collect ransomware binaries.
11.8.2022 Faculty of Engineering and Natural Science 9
Ransomware Scope
10. Methodology
Tools and Strategies for Analyzing Ransomwares
• Cuckoo Sandbox
Cuckoo Sandbox is the leading open-source automated malware analysis system.
• Flare tools
FLARE VM is a freely available and open-sourced Windows-based security distribution designed for reverse engineers,
malware analysts, incident responders, forensicates, and penetration testers.
• Intezer
Intezer has created the world’s first cyber immune system against malicious code. The company detects mutations of any
threat seen in history by recognizing even the slightest amount of code reuse.
• Virustotal
Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.
• Ghidra*
Ghidra is one of many open-source software (OSS) projects developed within the National Security Agency.
• Ida Pro*
The IDA Disassembler and Debugger is an interactive, programmable, extensible, multi-processor disassembler hosted on
Windows, Linux, or Mac OS X. IDA has become the de-facto standard for the analysis of hostile code, vulnerability research
and commercial-off-the-shelf validation.
11.8.2022 Faculty of Engineering and Natural Science 10
11. 11.8.2022 Faculty of Engineering and Natural Science 11
• Cuckoo Sandbox
Methodology
How is it work?
12. Deploying Analysis Environment
• 9 Ransomware could not perform malicious activity on Cuckoo Sandbox environment.
11.8.2022 Faculty of Engineering and Natural Science 12
• Setting up Cuckoo Sandbox Environment
• Cuckoo Sandbox installed on Ubuntu 18.04.05 Operating System.(Image of environment as follows)
https://drive.google.com/file/d/1tFAVcjeZNko8rNHrKGtG8yAcKjQoJZ_o/view?usp=sharing
• Setting up Flare VM environment
• Flare VM installed Windows 10 Operating System in virtual machine. (Image of environment as follows
https://drive.google.com/file/d/16fJpQe8AJFIYJcLJaCyoWJ1f8EFuY5kD/view?usp=sharing
Each ransomwares was analyzed Cuckoo Sandbox and Intezer. Virustotal, Flare VM, Ghidra and Ida Pro was not
used to analyze whole Ransomware samples.
13. Determining Indicators
11.8.2022 Faculty of Engineering and Natural Science 13
• Static Analysis Indicators
String Obfuscation
Packed(Y/N)
Known Packed (Y/N) (If it is packed)
One or more of the buffers contains an Embedded PE file
Import Library
Total Library count
Import function (for less library)
Manipulation in Imports (Y/N)
System
Compilation Time Stamp
14. Determining Indicators
# Signature # Signature # Signature
1 Prevent Recovery
10 Install itself for autorun Starting Windows 20 Steals information
11 Modify security settings 21 Cryptographic algorithm
2 Create Executible Files 12 Network communications for possible code
injection
22 Encrypt type
3 Executable File (which are created by
ransomware) location (if it is yes)
13 Modifies WPAD proxy autoconfiguration file for
traffic interception
23 Cannot Performed Dynamic Analysis
4 VM check (Y/N) 14 Remote process injection 24 Direct-Cpu-Clock-Access
5 Libraries used for VM check 15 Create a process named as a common system
process
25 Change desktop background
6 Sandbox check (Y/N) 16 Connects dead host 26 Check anti virus
7 Libraries used for Sandbox check 17 Unpacking Itself code injection 27 Inject malware( keylogger/trojan)
8 Debugger checks (Y/N) 18 Cmd Line 28 Run Time Delayed
9 Libraries used for debugger check 19 Using Windows API generate crytographic key 29 Anti-VM Check
11.8.2022 Faculty of Engineering and Natural Science 14
• Dynamic Analysis Indicators
15. Analyzing Phase
11.8.2022 Faculty of Engineering and Natural Science 15
1. Collecting Ransomware samples 2. Uploading Cuckoo Environment
https://any.run/
16. Analyzing Phase
11.8.2022 Faculty of Engineering and Natural Science 16
3. Uploading Intezer Environment 4. Checking via Virus Total and Flare Tools
18. Evaluation
11.8.2022 Faculty of Engineering and Natural Science 18
1. Classify datas with respect to determined indicator
1. Following tables display how many indicators detected in
Cuckoo and Intezer platform.
Indicator Count
Packed 34
Create Executable File 32
Cmd usage 27
Code injection processing while unpacking 26
VM check 25
Install itself autorun starting Windows 24
Debugger Check 23
Privilege enumeration 22
Clean the evidence 21
Sandbox check 20
Known Packed 18
Created a process named as a common system process 18
Hidden Import 16
Prevent Recovery 15
Least import function 15
Indicator Count
Buffer containing PE file 13
Connects dead host 12
Steals Information 12
Can not performed malicious activity on Cuckoo 12
Direct Cpu clock access 12
Change background 12
Delayed executing 14
Remote process injection 11
Inject malicious program 11
Check Antivirus Tool 10
Modify Security Settings 9
Network Communication for Possible code injection 9
Using Windows API generate cryptographic key 9
String Obfuscating 6
Modifies WPAD proxy autoconfiguration file for traffic interception 6
Check system whether using anti virtualization technic or not 5
19. Results
11.8.2022 Faculty of Engineering and Natural Science 19
Known Packed Algorithm Distribution
4
3
3
2
1
1
1
1
Confuser
Armadillo v1.71
malicious packer
UPX
SmartAssembly
BobSoft Mini Delphi
PureBasic 4.x -> Neil Hodgson
MinGW GCC 3.x
Libraries(for Suspicious imports*)(Top 5)
14
6
6
4
3 kernel32.dll
mscoree.dll
user32.dll
ws2_32.dll
advapi32.dll
*It is checked import function number in order to determine suspicious imports.
21. Results
11.8.2022 Faculty of Engineering and Natural Science 21
Created Executible File Locations and Created
Executible Common Files
17
11
9
5
5
..AppDataLocalTemp..
..AppDataRoaming..
C:Python27Libtestempty.vbs
C:Python27Libtestcheck_soundcard.vbs
C:UsersAdministratorAppDataRoaming
MicrosoftWindowsStart
MenuProgramsStartup
C:Windows
Methods for installing itself for autorun Starting
Windows
11
8
3
2
1 1
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionRun
C:UsersAdministratorAppDataRoamingMicrosoft
WindowsStart MenuProgramsStartup
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindo
wsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionRunOnce
schtasks /Create /SC once /TN "" /TR
"C:Windowssystem32shutdown.exe /r /f" /ST 12:50
HKEY_LOCAL_MACHINESOFTWAREWow6432Node
MicrosoftWindowsCurrentVersionRun
22. Results
11.8.2022 Faculty of Engineering and Natural Science 22
Cleaning Evidence Methods
7
3
2
2
Deletes original binary from disk
C:UsersAdministratorAppDataLocalMicrosoft
***:Zone.Identifier
Clear Web History
C:Users..AppDataRoamingMicrosoftWindow
sCookies
Deleting Windows Event Logs
Environment Check/Defense
Methods
Windows API to
check Virtual
Machine
GlobalMemoryStatusEx 18
GetDiskFreeSpaceExW 8
GetAdaptersAddresses 6
Sandbox Check
c:agent.py 15
Process32NextW 11
c:tmpfpoxbganalyzer.py 4
Debugger Check IsDebuggerPresent 23
Delaying Process Trying to sleep process 14
Inject Malicious Software
Bootkit 5
Keylogger 4
Hupigon file (Backdoor) 1
Tor Browser 1
Created a process named as a
common system process
explorer.exe 6
firefox.exe 3
svchost.exe 3
iexplorer.exe 1
rundll32.exe 1
23. Results
11.8.2022 Faculty of Engineering and Natural Science 23
LookupPriviligeValueW
20
16
2
2
8
4
SeBackupPrivilege SeDebugPrivilege
SeRestorePrivilege SeSecurityPrivilege
SeShutdownPrivilege SeTcbPrivilege
Enumarating Priviliges SeBackupPrivilege allows
file content retrieval,
even if the security
descriptor on the file
might not grant such
access.
SeRestorePrivilege allows file
content modification, even if the
security descriptor on the file
might not grant such access. This
function can also be used to
change the owner and protection.
SeDebugPrivilege requires to
debug and adjust the memory
of a process owned by another
account.
SeTcbPrivilege identifies its holder
as part of the trusted computer
base. Some trusted protected
subsystems are granted this
privilege.
Privilige
Escalation
Defense
Evasion
Credential
Access
Persistence Collection
SeShutDownPrivilige
allows to shut down
the system.
SeSecurityPrivilege lets you use Event
Viewer to both view and clear the
Security log and edit the audit control list
of objects such as files, folders, printers,
registry keys, and Active Directory (AD)
objects.
24. 11.8.2022 Faculty of Engineering and Natural Science 24
Additional Work
Ransomwares were also classified Mitre Attack framework categories in this project.
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-
world observations.
Execution
Shared Modules 18
Native API 8
Command and Scripting
Interpreter :: Unix Shell
6
Initial Access
Replication Through
Removable Media
4
Persistence
Boot or Logon Autostart
Execution :: Registry Run
Keys / Startup Folder
18
Create or Modify System
Process :: Windows Service
1
Defense Evasion
Process Injection 6
Deobfuscate/Decode Files or
Information
4
Pre-OS Boot :: Bootkit 4
Software Packing 4
Impair Defenses :: Disable or
Modify Tools
3
Credential Access
Unsecured Credentials ::
Credentials In Files
7
Credentials from Web
Browsers ::Steals credentials
from Web Browsers
1
Steal Web Session Cookie 1
OS Credential Dumping 1
Discovery
Process Discovery 19
Software Discovery ::
Security Software Discovery
10
Query Registry 8
System Information
Discovery
7
File and Directory Discovery 1
Collection
Data Staged 12
Data from Local System 2
Input Capture :: Keylogging 2
Archive Collected Data 2
Command And
Control
Encrypted Channel 2
Application Layer Protocol 2
Proxy :: Multi-hop Proxy 1
25. 11.8.2022 Faculty of Engineering and Natural Science 25
Static Analysis
Windows API
Mitre Attack
Framework
Registry
Modification
Conclusion
Classification