|
|
|
# How Ransomware Works
|
|
|
|
|
|
|
|
|
|
|
|
At a high level Ransomware is exactly what it sounds like. Someone takes your computer system hostage and demands a ransom. Usually the attackers will “kidnap” your system by encrypting most of the files on your computer to make it next to useless.
|
|
|
|
|
|
|
|
1. Infect a computer
|
|
|
|
2. Take control of that computer
|
|
|
|
3. Destroy Backups
|
|
|
|
4. Encrypt system files
|
|
|
|
5. Demand money for the encryption key
|
|
|
|
|
|
|
|
These are the basic steps of a ransomware attack. Next we’ll go through each one in more detail. As our guide, I’ll use the Robinhood Ransomware as an example.
|
|
|
|
|
|
|
|
## Infect a computer
|
|
|
|
Ransomware is software so it must first infect a computer before it can operate on a system. There are many ways ransomware can initially infect a system, such as an executable as an email attachment, downloading sketchy applications, and pretty much any conventional method. The Robinhood ransomware used two methods, trojans and brute forcing Remote Desktop Protocols (Arntz).
|
|
|
|
## Take Control of that computer
|
|
|
|
Once the attackers have initially infected your system, they will now take action to control it through some vulnerability. The attackers need pretty much full access to the computer in order to turn off all the necessary permissions and then encrypting all the files. For example if the user runs the trojan program, it may turn off all security on the computer without the user knowing what is happening. It could also set up a backdoor through which the attacker could connect to your computer. One of the main tactics of the RobbinHood ransomware was to install a special Gigabyte signed driver (Arntz). This driver had a known exploit that would allow the attacker to get full control over the system. Typically this would not work, but since the driver was an official Gigabyte driver signed by microsoft, the driver would install successfully.
|
|
|
|
### A Deeper Dive (Information is a paraphrase from [Loman](https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/))
|
|
|
|
Robbinhood has 5 main files to its attack. STEEL.EXE, ROBNR.EXE, GDRV.SYS, RBNL.SYS, and PLIST.TXT.
|
|
|
|
|
|
|
|
STEEL.EXE is the application that kills processes and files of security products using kernel drivers. STEEL runs ROBNR.EXE which installsd the bad driver RBNL.SYS. After installation, PLIST.TXT is read and all applications listed in it are killed. It also deletes the associated files.
|
|
|
|
|
|
|
|
ROBNR.EXE deploys all the drivers. First it uses the signed GDRV.SYS drivers vulnerability to install the unsigned RBNL.SYS driver. Then it uses the RBNL.SYS driver to compromise the system. The vulnerability in the signed driver allows for arbitrary memory reading and writing. With this they disable driver signature enforcement. On windows 10 this variable is called `ci!g_CiOptions` (CI.DLL) The attackers load CI.DLL as a data library using DONT_RESOLVE_DLL_REFERENCES. After loading they query the location of CI.DLL in kernel memory. The `NtQuerySystemInformation` gets the kernel addresses of all loaded kernel modules. From here they resolve the exported `CiInitialize` function from the modules’s export address table. Next the move through functions to find the address of `g_ciOptions`.
|
|
|
|
|
|
|
|
The attackers can now disable driver enforcement and install their bad driver. This kernel driver is used to processes and files, even ones that are in use. It uses I/O request packet to clear the `ImageSectionObject` and `DataSectionObject` pointers, this tricks the storage device into thinking the files are not in use. Then the file can be deleted. After all processes and files are killed that it wants to kill, encryption can begin.
|
|
|
|
|
|
|
|
Take a look here for more info [sophos article](https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/)
|
|
|
|
## Destroy Backups
|
|
|
|
Many ransomware attacks will try to destroy local backups in order to force more people to pay the ransom. The Robbinhood ransomware disconnects all network shares, deletes all shadow copies, clears event logs, and disables Windows automatic repair before encrypting files (Antz).
|
|
|
|
## Encrypt System Files
|
|
|
|
Encryption is the meat of a ransomware attack. By encrypting all of your files, the attackers ensure your computer is completely useless. The attackers in the Robbinhood ransomware used RSA-4096. This is unbreakable with current technology so the only way to get the data back is to pay up or revert to a backup.
|
|
|
|
|
|
|
|
Robbinhood encrypts everything except these files; `ProgramData`, `Windows`, `bootmgr`, `Boot`, `$WINDOWS.~BT`, `Windows.old`, `Temp`, `tmp`, `Program Files`, `Program Files (x86)`, `AppData`, `$Recycle.bin`, `System Volume Information`
|
|
|
|
|
|
|
|
Why use RSA? RSA encryption generates two keys, a public and private key. The private key can decrypt stuff that the public key encrypts so the attackers can hang onto that private key and give it to the victims when they pay up. If the attackers are smart, they will generate a new pair for every attack.
|
|
|
|
## Demand Money for the encryption key
|
|
|
|
What the attackers really want is your money. All the steps above are to get to your wallet first and foremost. Ransomware is designed to get the Ransom. Many times a message will appear on the screen with details on how to pay the attackers. If they have any sense, they will demand some sort of crypto currency like bitcoin since it cannot be tracked.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## WORKS CITED
|
|
|
|
|
|
|
|
Arntz, Pieter, et al. “Threat Spotlight: RobbinHood Ransomware Takes the Driver's Seat.” Malwarebytes Labs, 21 Feb. 2020, blog.malwarebytes.com/threat-spotlight/2020/02/threat-spotlight-robbinhood-ransomware-takes-the-drivers-seat/.
|
|
|
|
|
|
|
|
Loman, Andrew BrandtMark. “Living off Another Land: Ransomware Borrows Vulnerable Driver to Remove Security Software.” Sophos News, 11 Feb. 2020, news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/. |
