|
|
|
# How Ransomware Works
|
|
|
|
|
|
|
|
|
|
|
|
At a high level Ransomware is exactly what it sounds like. Someone takes your computer system hostage and demands a ransom. Usually the attackers will “kidnap” your system by encrypting most of the files on your computer to make it next to useless.
|
|
|
|
At a high level Ransomware is exactly what it sounds like. Someone takes your computer system hostage and demands a ransom. Usually the attackers will “kidnap” your system by encrypting most of the files on your computer to make it next to useless. These attacks follow a simple pattern.
|
|
|
|
|
|
|
|
1. Infect a computer
|
|
|
|
2. Take control of that computer
|
| ... | ... | @@ -9,34 +9,52 @@ At a high level Ransomware is exactly what it sounds like. Someone takes your co |
|
|
|
4. Encrypt system files
|
|
|
|
5. Demand money for the encryption key
|
|
|
|
|
|
|
|
These are the basic steps of a ransomware attack. Next we’ll go through each one in more detail. As our guide, I’ll use the Robinhood Ransomware as an example.
|
|
|
|
|
|
|
|
## Infect a computer
|
|
|
|
Ransomware is software so it must first infect a computer before it can operate on a system. There are many ways ransomware can initially infect a system, such as an executable as an email attachment, downloading sketchy applications, and pretty much any conventional method. The Robinhood ransomware used two methods, trojans and brute forcing Remote Desktop Protocols (Arntz).
|
|
|
|
## Take Control of that computer
|
|
|
|
Once the attackers have initially infected your system, they will now take action to control it through some vulnerability. The attackers need pretty much full access to the computer in order to turn off all the necessary permissions and then encrypting all the files. For example if the user runs the trojan program, it may turn off all security on the computer without the user knowing what is happening. It could also set up a backdoor through which the attacker could connect to your computer. One of the main tactics of the RobbinHood ransomware was to install a special Gigabyte signed driver (Arntz). This driver had a known exploit that would allow the attacker to get full control over the system. Typically this would not work, but since the driver was an official Gigabyte driver signed by microsoft, the driver would install successfully.
|
|
|
|
### A Deeper Dive (Information is a paraphrase from [Loman](https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/))
|
|
|
|
Robbinhood has 5 main files to its attack. STEEL.EXE, ROBNR.EXE, GDRV.SYS, RBNL.SYS, and PLIST.TXT.
|
|
|
|
The first step of a ransomware attack is to infect a computer. The most common way for this to happen is through a trojan of some sort. This is where software pretends to be one thing, like a word processor, but it's actually a malicious application that is compromising your system. These trojans usually enter a system from sketchy downloads off the internet or bad attachments in emails. These are the most common ways, and most easily preventable methods of infection. Being smart online can prevent these infections.
|
|
|
|
|
|
|
|
STEEL.EXE is the application that kills processes and files of security products using kernel drivers. STEEL runs ROBNR.EXE which installsd the bad driver RBNL.SYS. After installation, PLIST.TXT is read and all applications listed in it are killed. It also deletes the associated files.
|
|
|
|
While tricking users is the easiest way to infect a computer, hackers are also capable of fighting through security. They may try to find backdoors in networks or abuse exploits in existing applications to install their malware. These attacks are prvented by keeping software up to date and using good network security practices.
|
|
|
|
|
|
|
|
ROBNR.EXE deploys all the drivers. First it uses the signed GDRV.SYS drivers vulnerability to install the unsigned RBNL.SYS driver. Then it uses the RBNL.SYS driver to compromise the system. The vulnerability in the signed driver allows for arbitrary memory reading and writing. With this they disable driver signature enforcement. On windows 10 this variable is called `ci!g_CiOptions` (CI.DLL) The attackers load CI.DLL as a data library using DONT_RESOLVE_DLL_REFERENCES. After loading they query the location of CI.DLL in kernel memory. The `NtQuerySystemInformation` gets the kernel addresses of all loaded kernel modules. From here they resolve the exported `CiInitialize` function from the modules’s export address table. Next the move through functions to find the address of `g_ciOptions`.
|
|
|
|
## Take Control of that computer
|
|
|
|
After infecting a computer ransomware must get full control of a system, if it really wants to hold your computer ransom. Technically software that *tries* to keep your computer ransom by spamming pop ups is considered Ransomware. This is called non-encryping Ransomware. These can be done without getting full control of a system. Encrypting Ransomware, must have full control though. To get this control, Ransomeware can disable low level security settings that make sure only certified programs can run. They may also delete important files that are core to an operating systems main security, then these services cannot be restarted and will persist after a reboot.
|
|
|
|
|
|
|
|
The attackers can now disable driver enforcement and install their bad driver. This kernel driver is used to processes and files, even ones that are in use. It uses I/O request packet to clear the `ImageSectionObject` and `DataSectionObject` pointers, this tricks the storage device into thinking the files are not in use. Then the file can be deleted. After all processes and files are killed that it wants to kill, encryption can begin.
|
|
|
|
Normally these settings are not changeable by simple means or by standard users. The attackers get around this by exploiting vulnerabilites that give them accesse to the kernel, root, or some elevated privlidge state. Once the privlidges are escalated, the damage can begin.
|
|
|
|
|
|
|
|
Take a look here for more info [sophos article](https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/)
|
|
|
|
## Destroy Backups
|
|
|
|
Many ransomware attacks will try to destroy local backups in order to force more people to pay the ransom. The Robbinhood ransomware disconnects all network shares, deletes all shadow copies, clears event logs, and disables Windows automatic repair before encrypting files (Antz).
|
|
|
|
## Encrypt System Files
|
|
|
|
Encryption is the meat of a ransomware attack. By encrypting all of your files, the attackers ensure your computer is completely useless. The attackers in the Robbinhood ransomware used RSA-4096. This is unbreakable with current technology so the only way to get the data back is to pay up or revert to a backup.
|
|
|
|
Many Ransomware attacks that mean business will destory automactic backups, repairs, and disconnect remote backups. So unless you have backups of backups or offline backups, you are out of luck. Once they encrypt your files there is no way to get them back unless you have the encryption key.
|
|
|
|
|
|
|
|
Robbinhood encrypts everything except these files; `ProgramData`, `Windows`, `bootmgr`, `Boot`, `$WINDOWS.~BT`, `Windows.old`, `Temp`, `tmp`, `Program Files`, `Program Files (x86)`, `AppData`, `$Recycle.bin`, `System Volume Information`
|
|
|
|
## Encrypt System Files
|
|
|
|
The nail in the coffin of a ransomware attack. The Ransomware goes through the computer encrypting all the files it wants. This could be just images of your puppies to basically the entier computer. Whatever they deem necessary to get the victim to pay.
|
|
|
|
|
|
|
|
Why use RSA? RSA encryption generates two keys, a public and private key. The private key can decrypt stuff that the public key encrypts so the attackers can hang onto that private key and give it to the victims when they pay up. If the attackers are smart, they will generate a new pair for every attack.
|
|
|
|
The method of encryption is usually RSA of some form. RSA is simple enough to do, and cannot be brute forced as of now. Which means your files are mathematically in alcatraz.
|
|
|
|
### Image Here
|
|
|
|
## Demand Money for the encryption key
|
|
|
|
What the attackers really want is your money. All the steps above are to get to your wallet first and foremost. Ransomware is designed to get the Ransom. Many times a message will appear on the screen with details on how to pay the attackers. If they have any sense, they will demand some sort of crypto currency like bitcoin since it cannot be tracked.
|
|
|
|
|
|
|
|
Last, but not least, is the extortion.
|
|
|
|
### Image Here
|
|
|
|
Just about all Ransomware attacks demand money in exchange for the encryption key. Due to crypto currencies, like Bitcoin, these payoff are anonymous so the hackers are not traceable. After recieveing their money, the victim may or maynot get the encryption key, if it's a low level attacker, but they high level attackers will give they key to keep their reputation up. Otherwise, no one would pay.
|
|
|
|
|
|
|
|
# Robbinhood As an Example
|
|
|
|
|
|
|
|
The Robbinhood ransomware is most famous for attacking the City of Baltimore. Infecting most of thir system it took them weeks to fully return back to normal operations.
|
|
|
|
Robbinhood is a classic example of encrypting ransomware, it even targets whole networks.
|
|
|
|
|
|
|
|
Robbinghood does still have to infect computers just like any other malware though. Robbinhood's method of infection is the traditional trojan, but they also have been seen brute forcing RDP protocols (Arntz). To brute force RDP they first scan for open ports that use RDP then begin to guess Usernames and Passwords untill they get it right. After that they can then begin to install their malware.
|
|
|
|
|
|
|
|
If they managed to brute force RDP as an Admin then they don't need any more pressions to move on, but if it's a trojan or a normal user they have a plan.
|
|
|
|
In order to escalate its privlidges, Robbinhood brings along its own vulnerability. Robbinhood installs a certified driver from gigabyte (`GDRV.SYS`) that allows for kernel editing. `CVE-2018-19320`
|
|
|
|
|
|
|
|
`ROBNR.EXE` is the file that installs this driver and the next one. Once `GDRV.SYS` is installed they exploit it and turn off windows signed driver enforcement. To turn it off they edit the kernel in memory. They find the location by finding a known method, then stepping through the code to pinpoint the `ci!g_CiOptions` This means any driver can be loaded onto the system. For example, Robbinhood also brings a malicious driver too. `RBNL.SYS`
|
|
|
|
|
|
|
|
`RBNL.SYS` has a very important job. It deletes all the files and processes that normally protect against random deletion. Wroking in tandem with `STEEL.EXE` to prevent these applications and files from restarting and reappearing. It will also delete the computers ability to connect to the internet.
|
|
|
|
|
|
|
|
All of these attacking files are embedded in `STEEL.EXE` and extracted to `C:\WINDOWS\TEMP` (Loman).
|
|
|
|
|
|
|
|
Now that all the security is down it's time for Robbinhood to encrypt. Robbinhood encrypts all system files execept the following: ProgramData, Windows, bootmgr, Boot, $WINDOWS.~BT, Windows.old, Temp, tmp, Program Files, Program Files (x86), AppData, $Recycle.bin, and System Volume Information. This renders the computer completely useless, but not destroyed.
|
|
|
|
|
|
|
|
From here the user would see a ransom note next time they logged in. Here is an example.
|
|
|
|
|
|
|
|
|
|
|
|
Hopefully you had a backup or else pay the fine.
|
|
|
|
|
|
|
|
|
|
|
|
|
| ... | ... | |
