Ransomware has been plaguing the world for years. The dark web has a whole industry dedicated to creating on-demand ransomware variants. There are actually programs you can buy that can help you generate a brand new ransomware that won’t be detected by existing anti-virus solutions in a few clicks. This is why most ransomware prevention solutions focus on catching the behavior rather than the signature. Instead of looking for known ransomware variants, most successful solutions look for specific chain of operations. An example of this behavior chain is a user downloading an executable in a browser, the user starts the executable which immediately creates an encryption key, opens many files and rewrites them.

In this blog post we will show you how easy it is to use Hyperionix to detect such a behavior, block it and even save the encryption key so any missed files can be easily decrypted. Hyperionix makes it easy to monitor and modify low-level system behavior. Hyperionix gives you an agent and a central online management console. You can use it to deploy probes written in Lua that can monitor and modify the behavior of systems on your network. In this case, we will use it to monitor cryptographic key usage and file operations. Hyperionix will terminate processes it determines to be ransomware based on their behavior. It will also send events to Splunk notifying you of this detection. As part of the event we will include the decryption key that will allow us to unlock any files encrypted by the ransomware.

For this demo we will use the gandcrab ransomware. It is recommended that you go over the tutorial before trying to run this demo yourself.

We will be looking for this specific chain of events to detect ransomware behavior:

  1. A file is created with the “Zone.Identifier” alternate data stream. All major modern browsers add this stream to downloaded files to let Windows know the file didn’t originate on the system.
  2. The file was moved, renamed or copied.
  3. A process was created with the downloaded file as the backing file.
  4. This process exports a cryptographic key. Ransomware does that so they can send the key to their servers and give it back to you for a ransom.

It is possible to detect the actual file encryption too, but we will stop at detection of the cryptographic key for brevity.

Detect File Download

To detect file operations we hook all the relevant functions in ntdll.dll. Here we only need the NtCreateFile function which is called for creating files. This function will also be called when creating an alternate data stream. To catch the file download we can filter for creations of “Zone.Identifier” alternate streams and report them.

The resulting code defines a hook probe that installs onExit handler to be called when the probe detects an exit from a call to NtCreateFile. The interesting logic part goes into the onExit handler, where it checks the filename to see if it’s ADS, and then if it’s “Zone.Identifier”. Finally it sends an event to Splunk with the details.

#lua #cybersecurity #hacking #endpoint-security #ransomware

Detect Ransomware With Hyperionix
1.05 GEEK