Warning: Please read the Site Disclaimer before proceeding.
I was always curious how Ransomware works. During WannaCry Ransomware attack, I got my hands on a WannaCry sample and tested it on a Windows VM. It was the first time that I saw the result of a ransomware infection on a system. I was intrigued the way it encrypted the system and presented a banner as in above picture within seconds. Thus, led me to study more about the functioning of a ransomware. This series discusses design, development and finally analyze such Crypto Ransomware.
This is the first post in the series Creating a POC Crypto Ransomware Framework. Here, I shall brief about Crypto Ransomware and the way this series proceeds in developing a proof of concept sample and analyze it.
Ransomware is a type of malware that threatens to publish the victim’s personal data publicly online or block access to it unless a said ransom is paid. Ransomware that intends to extort money by blocking the access to data by encrypting files stored on the computer is also known as Crypto Ransomware. This malicious program demands the victim to pay a ransom within a stipulated time to get the decryption key lest lose data forever. Some of the famous Crypto Ransomware are Locky, CryptoLocker, Petya and their variants.
This series of creating a sample Crypto Ransomware framework will follow in these phases:
- Crypto Ransomware Design
- Infection Phase
- C&C Server & Victim Manager
- Victim Files Encryption
- Decryption & Analysis
Crypto Ransomware Design
Crypto Ransomware usually uses two methods for propagation. One, wherein the victim is made to visit malicious links or files in email attachments. The other method is with the help of trojans or exploit-kits. Once it is downloaded onto the system, the program installs itself onto the system and deploys persistence mechanisms. Before installation, or certain times after installation the malware checks for certain conditions which on satisfaction stops the execution of the malware and gets self-deleted. The kill switch conditions vary from ransomware to ransomware. In WannaCry, the kill switch was a presence of a live domain. Whereas, Locky stops executing if the victim was found using Russian locale system. Some authors of malware check for the victim environment to decide further control of the malware such as the presence of debugging software, or VM based environments to evade Malware Analysts and make their job difficult.
In the next step, the malware communicates with the C&C server referred by the hardcoded IPs in the malware or using Domain Generation Algorithms (DGA) to inform about the infection by passing an Identifier to identify the victim in Victim Manager. The Victim Manager is an application hosted in C&C server is responsible for key management and communication with the victim. Once C&C Server gets ‘Victim Identifier’, a key pair is generated using RSA 2048 bit encryption. The public key from the generated pair is sent to the victim. I am using a hybrid encryption module in this sample wherein the victim files are encrypted using randomly generated 128-bit AES-CBC encryption and the symmetric key used in file encryption is later encrypted with the public key provided by C&C Server. The decryption process involves passing a decryptor with decryption key from C&C server to the victim.
I made a vague attempt at making a pictorial representation how I designed the POC attack. The next part of this series discusses how infection is carried out during ransomware campaign.