Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to...
Transcript of Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to...
![Page 1: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/1.jpg)
A Large-Scale, Automated Approach toDetecting Ransomware
Amin Kharraz, Sajjad Arshad, Collin Mulliner, William Robertson, Engin Kirda
![Page 2: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/2.jpg)
What is a ransomware attack?
Receiving the decryption key2
Paying the ransom fee1
2
![Page 3: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/3.jpg)
3
A Typical Ransom Note
![Page 4: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/4.jpg)
4
Attacks on Hospitals
![Page 5: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/5.jpg)
5
![Page 6: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/6.jpg)
7
![Page 7: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/7.jpg)
– CNN Interview with FBI, April 2016
“Cyber-criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers.”
![Page 8: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/8.jpg)
8
How to defend against ransomware attacks?
● Educating end-users- Have a reliable backup policy- Avoid risky online behavior
● Developing detection tools to assist defenders- Providing insight from internal behavior
● Developing protection tools to enhance AV capabilities- Stopping the attack, and keeping the data consistent
![Page 9: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/9.jpg)
8
How to defend against ransomware attacks?
● Educating end-users- Have a reliable backup policy- Avoid risky online behavior
● Developing detection tools to assist defenders- Providing insight from internal behavior
● Developing protection tools to enhance AV capabilities- Stopping the attack, and keeping the data consistent
![Page 10: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/10.jpg)
9
Threat Model● Ransomware can employ any techniques to attack
- Inject code into benign processes- Perform encrypted communication- Leverage arbitrary cryptosystems
● We assume that OS kernel, and underlying software
and hardware stack are free of malicious code.
● Unveil detects ransomware during dynamic analysis
phase, and not at end-user machines.
- Complements current dynamic analysis systems - A cloud-based malware analysis service, sample sharing
But, how can we detect a ransomware sample?
![Page 11: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/11.jpg)
10
Achilles’ Heel of Ransomware
• Ransomware has to inform victim that attack has taken place
• Ransomware has certain behaviors that are predictable– e.g., entropy changes, modal dialogs and background activity,
accessing user files• A good sandbox that looks for some of these signs helps
here…
![Page 12: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/12.jpg)
10
UNVEIL: An Early Warning Dynamic Detection System for Ransomware
![Page 13: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/13.jpg)
UNVEIL’s Architecture
11
![Page 14: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/14.jpg)
Approach
12
• Detecting Cryptographic Ransomware:• Generating a fake (and attractive) user environment• Finding a reliable method for monitoring filesystem
activity
Why do we generate fake user environments?
• Making the analysis environment more realistic• Protecting the analysis system from some user environment
fingerprinting- A static user environment can be easily detected by a
malware
![Page 15: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/15.jpg)
Approach
12
• Detecting Cryptographic Ransomware:• Generating a fake (and attractive) user environment• Finding a reliable method for monitoring filesystem
activity
Why do we generate fake user environments?
• Making the analysis environment more realistic• Protecting the analysis system from bare-user environment
fingerprinting- A static user environment can be easily detected by a
malware How do we generate fake user environments?
![Page 16: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/16.jpg)
13
Generating Fake (Honey) Content
• Real files with valid headers– Using standard libraries (e.g., python- docx, python-pptx,
OpenSSL)– Content that appears meaningful– File names do not look random, and appear realistic
• File paths– User’s directory structure is generated randomly, but
meaningfully• File attributes
– Generate content with different creation, modification, and access times
![Page 17: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/17.jpg)
User
Kernel
ContentGenerator
I/O MANAGER
UNVEIL
15
![Page 18: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/18.jpg)
User
Kernel
Rfs = <Time,Pname,Pid,PPid,IRPflag,Arg,Result,BufEntropy>
I/O MANAGER
UNVEIL
![Page 19: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/19.jpg)
17
Extracting I/O Access Sequences
(1) Overwrites the users’ file with an encrypted version
(2) reads, encrypts and deletes files without wiping them from storage
(3) reads, creates a new encrypted version, and securely deletes
the original files
![Page 20: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/20.jpg)
18
IO Access Sequences in Multiple Ransomware Families
ReadWrite
New File Encrypted version
Deleting the Original File
New File Encrypted version
Secure Deletion
![Page 21: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/21.jpg)
19
Iteration over files during a CryptoWall attack
![Page 22: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/22.jpg)
Desktop Locker Ransomware
1
Malware run
2
3
20
![Page 23: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/23.jpg)
Desktop Locker Ransomware
20
Dissimilarity Score
![Page 24: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/24.jpg)
21
Preparing the Analysis Environment
● UNVEIL is deployed on top of Cuckoo Sandbox- UNVEIL supports all versions of Windows platforms.
- Our tool is deployed in Kernel.
- Bypassing UNVEIL is not technically easy in user-mode.
● Finding active malware is not easy
- We modified some parts of Cuckoo to make it more resilient to environmentally sensitive samples
- e.g., fake response to some of the environment checks
- Other anti-evasion measures to look more realistic- e.g., defining multiple NTFS drives, changing IP address
range and MAC addresses
![Page 25: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/25.jpg)
22
Evaluation1) Detecting known ransomware samples
a) Collecting ~3500 ransomware from public repo, Anubis, two security companies.
b) 149 benign executables including ransomware-like behaviorc) 348 malware samples from 36 malware families
Ransomware FamiliesBenign Applications
![Page 26: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/26.jpg)
23
Dissimilarity score is different from family to family
![Page 27: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/27.jpg)
Detecting known ransomware samples
The threshold value t = 0.32 gives the highest recall with 100% precision
24
![Page 28: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/28.jpg)
Evaluation UNVEIL with unknown samples
25
. . .56 UNVEIL-enabledVMs on 8 Servers
Ganeti Cluster
~ 1200 malware samples per day
![Page 29: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/29.jpg)
Evaluation UNVEIL with unknown samples● We used the same similarity threshold (t = 0.32) for the large scale
experiment.
● The incoming samples were acquired from the daily malware feed provided
by Anubis from March 18 to February 12, 2016.
● The dataset contained 148,223 distinct samples.
26
![Page 30: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/30.jpg)
Cross-checking with VirusTotal
27
● Pollution ratio is defined as the ratio of the number of scanners that identified the sample to the number of scanners in VirusTotal
![Page 31: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/31.jpg)
Detection Results
28
![Page 32: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/32.jpg)
Detection: New Ransomware Family
29
![Page 33: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/33.jpg)
Detection: New Ransomware Family
30
• During our experiments, we discovered a new malware family– We call it “SilentCrypt”– After we reported it, others started detecting it as well– We were not able to find any information about this family
online– The ransomware first checks for private files of a user,
contacts the C&C server, and starts the attack based on the answer
![Page 34: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/34.jpg)
Detection: New Ransomware Family
31
![Page 35: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/35.jpg)
32
● Ransomware is a serious threat.
● UNVEIL introduces concrete models to detect Ransomware
● Detecting an unknown family shows that the solutions are useful in practice
● We continue to improve functionality tuned towards detecting ransomware
Conclusion
![Page 36: Detecting Ransomware A Large-Scale, Automated Approach to...A Large-Scale, Automated Approach to Detecting Ransomware Amin Kharraz, Sajjad Arshad, Collin Mulliner, ... • A good sandbox](https://reader030.fdocuments.in/reader030/viewer/2022040717/5e24a30452538d5af358c63a/html5/thumbnails/36.jpg)
34
Thank You