Ransomware Demystified
or
You are not serious about cybersecurity and you got what was coming to you.
or
How to fool people and keep your job
Part One:
This is not an overly technical article. I believe that would be inappropriate as I want the reader to understand the current predicament in its most holistic way.
The past few months have been hectic and filled with an interesting parade of anomalies so it has been difficult to budget time appropriately so that my digital travels can be documented properly. For this I lament. It is due to this process of lamenting that I have been compelled to comment on what is in my opinion the continuous egregious portrayal of cybersecurity in the course of current events. I speak to you of course of ransomware and most recently the incidents involving the Baltimore and Washington DC Police Department as well as Colonial Pipeline.
Before we begin, for those who have never come across any of my rantings, it would be appropriate to provide some context. Usually, we take malware and provide an in-depth analysis. This diatribe is going to be a little different. The first part is simply a condemnation of society and all elements from within, which not only perpetrate the absurdity of what cybersecurity has become but continue to make people believe that it is acceptable. Remember these are the same people that claim there is a shortage of talent. What is discussed here must be said, albeit even one lone voice, perhaps if we scream loud enough, we can be heard. Following my ramblings there will be some technical observations and a discussion on the ransomware issue whose arthritic hand has gripped the fragile throat of the world.
The state of cybersecurity is abysmal and continues down that dysfunctional spiral which leads to the multiple circles of the inferno. Both corporate America and most governments have given their citizens the belief that this is okay and must be accepted. As a collective we are led to believe that “Big Tech” must not be trusted but everything else is okay. Facebook and Google are evil, but the courts sharing your information with third parties is acceptable. I must view Apple as demonic, but if an app loses my credentials and credit card information, I must look the other way. If my car is stolen, the police will tell me who stole it and where they found it. If an app that is storing all my information or an office loses my information all I am told is that there was a breach, I am told nothing of the breach, what happened and more importantly where did the information go. If I am lucky, I am told it is on the “dark web”, but I will not be told where. For that you need to look for someone like me to go look for it. That is absurd.
Recently one of my accounts fell victim to the Park Mobile app breach. Now despite what is said about Google, Apple, or Amazon, I would never give an app my credit card information. I link this to Apple pay, Google Pay, or Amazon where my account has two factor authentication using an authenticator app. If I was foolish enough to use an active email address with my credit card number I would be in a horrible situation because not only, do I have to worry about my card being used, but I also have to worry about identity theft on a more amplified level. It is advisable when setting up subscriptions online to use an email address for that purpose and use a payment provider such as PayPal, Apple Pay, Google Pay, or Amazon Pay. Do I trust those providers, most definitely not, but I know the one thing I can do is have one central area to control those subscriptions and if something is not right I will not have to call the bank for a new card.
As an individual you can navigate around Google, Apple, and Amazon and control the narrative as you can make them accountable to you, you just have to know how.
What you cannot make accountable is a governmental institution, or a corporation that is protected when they lose your personal and financial data. Worse it seems that many states can just give it to third parties upon request. I am not afraid of Google, Amazon, or Apple because I can control the narrative and so can you. What bothers me is something like the following:
a) A dental office allows my patient data including payment information to be compromised and the only thing I am told is that its out there, but we will give you free credit monitoring for six months.
b) Many moons ago when I went to the courthouse with my wife to get our marriage license, we viewed this as a happy day. After the marriage we received correspondence from two attorneys stating that it’s important to make sure that our immigration status is kept up to date and they can represent us because failure to do so would result in deportation. This is amusing as I am a citizen of the United States who was born here, and my wife is a naturalized citizen. Apparently as our names would be deemed ethnic the data was shared, there was no permissions prompt for me to click “you can share this.”
c) An app used for parking suffers a breach and does not tell you it has nor does it offer guidance. Username, car information, credit card information is all compromised and it does not seem to bother them.
I can go on, but I trust that you get the point, which now brings us to the issue of ransomware. We will dismiss from the standard introduction by defining what ransomware is, if you are here, you already know. However, if you are not one whose face and soul is filthy from the dirt in the proverbial cyber trenches, what you may not know is that ransomware is not the threat it is made out to be and is completely avoidable. In fact, Trojans are more of a threat than ransomware.
The common consensus to the statement of ransomware being completely avoidable is that this cannot be true because if police and large corporations can be tricked, this means the trickster must be some evil genius and there is nothing anyone can do. Well, this is not only foolish but ridiculous. Further, if you accept this statement that means you also believe that those who maintain the infrastructure could have never seen this coming. There is an analogy I like to use. If you hire a plumber, and that plumber floods your house through incompetence, chances are that plumber will have a hard time finding work. Two professions I know this truth does not hold, lawyers and high-level corporate cybersecurity.
There is no genius in ransomware, there is no grand plan. So how did this happen? It is politically incorrect to say but we are going to say it anyway. They were stupid and lax. In fact, Colonial lost 100 gigs of data before the main attack within two hours. How no one saw that is mind numbing. The Baltimore PD does not like keeping their infrastructure up to date but will have no problem hauling you in for the most minute offense. This is unacceptable.
When guarding your infrastructure, the following things need to be adhered to, there is no deviation from this — it simply must be followed:
a) Do not treat cybersecurity as an after-thought. Data is currency. Start taking things seriously.
b) All computers including air-gapped computers must be patched and updated, including virus signatures. If they are air gapped, you must schedule the time for upgrades and do so manually only using updates downloaded from the operating system repository and they must be checked. If your computers are networked your life is easier because you can enable auto updates. Your browser needs to be updated as well.
c) Two levels of malware protection are needed. Windows Defender is fine for a base but add on top of this Malwarebytes for Business or whatever package you may prefer so long as you keep the program updated.
d) Limit admin rights to a workstation, people should not be logging into workgroups, each workstation should be set with appropriate permissions and your users should not have broad permissions.
e) Make sure that your SIEM or Intrusion detection system is up to date. If you do not know what that means email me and I will tell you because if you are a business, you need to get one.
f) If you are a Microsoft 365 shop, make sure you are using OneDrive Ransomware protection. Also Azure Sentinel can be setup for a retention time of 7 days and it is free. Use it, while you’re at it make sure if you have an E5 license and you are watching what goes on in Microsoft 365 Security and Compliance.
g) Watch your backups like you watch your bank account, make sure they are safe and test them.
h) Setup alerts, your business follows a set of prescribed norms, your alerts will show you if someone is deviating.
i) If you’re going to decide to run your own mail server because you do not trust hosted providers, then you must accept the responsibility that comes with that.
j) Start logging DNS activity. Security Onion is free, and storage is cheap. For large corps if they were logging DNS they would have caught SolarWinds. There is no excuse.
k) If your running critical systems, only install on the computer what you need, in fact if you’re in the corporate space, you should only have what you need on the computer.
These are the pillars of good security, it is not hard, it simply requires diligence and a level of discipline and a dismissal of the dysfunctional conventions that you are told that you need to practice.
The problem that we encounter, and it is mind numbing that this occurs, corporations and the very people who are placed there to guard the infrastructure have no type of practical knowledge or understanding of application. They simply follow the same tired playbook to its absurd psychotic conclusion. Why? There is no accountability and data is not viewed in the same currency as a physical asset, yet it ends up being treated that way when the ransom has to be paid or someone stole your information. Until the mindset changes then this will happen again and again — cybersecurity is truly in a sorry state.
Now that you the reader understand the calamity of what is involved, it is important we go over some basic tenants of what ransomware does. Its not too technical so just follow me.
Part Two:
For our analysis we looked at two variants. Babuk and Crysis, and for Babuk, delving deeper we look at the code in Ghidra. I use any.run for volatile malware testing. I deem anything volatile that I have a high belief that if it gets out that it will be highly problematic to recover from the disaster. While I have no respect for ransomware developers, I respect the potency of the carnage it causes. The malware will not just run on the machine, once it finishes enumerating all processes and encrypting documents, it will move onto the network, if you have a Windows network with any open shares (way too many people do) then it will hit those shares and other machines. Hence, I prefer a more controlled venue for my ransomware testing and any.run serves this purpose very well.
It is important to remember that with any malware, there is no secret weapon, like any malicious entity, they have to get in first, and for the most part with some very rare exceptions you (the user) have to click or agree to something. That will always be the first event because an action needs to occur before the malware is activated. If you do not click, if you do not activate the malware, its not going to run. (for the most part).
Remember, ransomware encrypts all your files, how does it do that? When the malware is activated, it needs to find the files, it must run a program to do this. For this purpose, on a Windows computer, the Volume Shadow Services is activated, and a process called enumeration begins.
The Volume Shadow Services will almost always start from the command line after the malware has been activated:
Now keep in mind, you will not see the Volume Shadow Services load, a command shell which is not viewed by the user is launched:
“C:\Windows\System32\cmd.exe” /c vssadmin.exe delete shadows /all /quiet
The Volume Shadow Services allows backup applications to back up locked and open files. Both the backup application and software application must be VSS-aware to utilize VSS to back up open or locked files, that would include all documents stored on your computer. That command is deleting all backup copies that Windows stores on your computer.
For the Babuk strain of ransomware, the developers are very brazen. Most of the time malware authors will obfuscate their code to prevent revere-engineering. This is not the case as noted below:
Crysis is another type of ransomware, otherwise known as Dharma. There are several technical differences in the code as well as the manner of distribution, but at the end of the day it all must do the same thing. Like Babuk, this was executed in any.run sandbox:
The interesting thing that can be noted here is the sandbox does not pick up the vssadmin deleting the shadow copies stored on the OS as a bad thing, and technically its not. The problem here is the malware called it, so the process that should have never run with permissions made the call to do this, and hence that is where one of the problems lay. Why are your users allowed to run a process that would do such a thing? Permissions need to be constructed carefully, anything less than that is just an excuse. If it’s a workstation that is shared as is done in far too many places the faults lays with the Admins who allow for such recklessness as each person using that computer should have a login which only allows them to do what is needed and nothing more.
In the case of Babuk, there are list of processes that are terminated, if any of the below is found to be running they will be closed. Ransomware needs to do this because your attention is paramount, as noted from the code behold the list below:
Below is the code with CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW that the ransomware uses to search and terminate the process.
{
HANDLE hObject;
int iVar1;
HANDLE hProcess;
undefined extraout_DL;
uint local_238;
undefined4 local_234 [2];
DWORD local_22c;
WCHAR local_210 [260];
uint local_8;
local_8 = DAT_004081b0 ^ (uint)&stack0xfffffffc;
hObject = (HANDLE)CreateToolhelp32Snapshot(0xf,0);
local_234[0] = 0x22c;
iVar1 = Process32FirstW(hObject,local_234);
do {
if (iVar1 == 0) {
CloseHandle(hObject);
FUN_004071ec(local_8 ^ (uint)&stack0xfffffffc,extraout_DL,(char)iVar1);
return;
}
local_238 = 0;
while (local_238 < 0x1f) {
iVar1 = lstrcmpW((LPCWSTR)(&PTR_u_sql.exe_004080b0)[local_238],local_210);
if (iVar1 == 0) {
hProcess = OpenProcess(1,0,local_22c);
if (hProcess != (HANDLE)0x0) {
TerminateProcess(hProcess,9);
CloseHandle(hProcess);
}
break;
}
local_238 = local_238 + 1;
}
iVar1 = Process32NextW(hObject,local_234);
} while( true );
}
Dropped files are a result of an application having permissions to do things that only an admin should be able to do, as with the case of ransomware, it wants you to reach out.
Notice the string there, this is the Babuk Onion site. The url is not live, we checked. In fact, when we tried just the onion address without the login page we got nothing either, perhaps they will come back later. This file was dropped by the executable, we can find the ransomware note hardcoded in the executable –
LAB_004047db:
BVar2 = FindNextFileW(hFindFile,(LPWIN32_FIND_DATAW)&local_25c);
} while (BVar2 != 0);
FindClose(hFindFile);
lstrcpyW(lpString1,param_1);
lstrcatW(lpString1,L”\\How To Restore Your Files.txt”);
in_stack_fffffd90 =
CreateFileW(lpString1,0x40000000,1,(LPSECURITY_ATTRIBUTES)0x0,1,0,(HANDLE)0x0);
if (in_stack_fffffd90 != (HANDLE)0xffffffff) {
WriteFile(in_stack_fffffd90,
“ — — — — — — [ Hello! ] — — — — — — ->\r\n\r\n ****BY BABUK LOCKER****\r\n\r\nWhat happend?\r\n — — — — — — — — — — — — — — — — — — — — — — — \r\nYour computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data.\r\nBut you can restore everything by purchasing a special program from us — a universal decoder. This program will restore your entire network.\r\nFollow our instructions below and you will recover all your data.\r\nIf you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web.\r\n\r\nWhat guarantees?\r\n — — — — — — — — — — — — — — — — — — — — — — — \r\nWe value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.\r\nAll our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.\r\nWe guarantee to decrypt one file for free. Go to the site and contact us.\r\n\r\nHow to contact us? \r\n — — — — — — — — — — — — — — — — — — — — — — — \r\nUsing TOR Browser ( https://www.torproject.org/download/ ):\r\nhttp://babukq4e2p4wu4iq.onion/login.php?id=8M60J4vCbbkKgM6QnA07E9qpkn0Qk7\r\n\r\n!!! DANGER !!!\r\nDO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n!!! DANGER !!”
,0x558,&local_c,(LPOVERLAPPED)0x0);
CloseHandle(in_stack_fffffd90);
}
}
Crysis is a bit more elaborate in what it drops from the executable, unfortunately it crashed in our sandbox after encrypting the operating system, which that is alarming as it speaks to the coding skills of the developer. However, we do see an interesting drop that tells us a bit about the architecture in which this thing was built:
Tutanota is a secure encrypted email service, I have never analyzed it so I know little of it. JMX stands for Java Management Extensions. The jmxremote.access agent acts as a management entity that runs in the Java virtual machine which many people have installed on their workstations. Now with this bit of knowledge you can surmise that being that the word remote is in the agent name, that this being controlled from somewhere, and in that we have an ominous tone. From the Oracle documentation:
Remote Monitoring and Management
To enable monitoring and management from remote systems, you must set the following system property when you start the Java VM.
com.sun.management.jmxremote.port=portNum
In the property above, portNum is the port number through which you want to enable JMX RMI connections. Be sure to specify an unused port number. In addition to publishing an RMI connector for local access, setting this property publishes an additional RMI connector in a private read-only registry at the specified port using a well known name, “jmxrmi”.
Note — You must set the above system property in addition to any properties you might set for security.
Remote monitoring and management requires security to ensure that unauthorized persons cannot control or monitor your application. Password authentication over the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) is enabled by default. You can disable password authentication and SSL separately, as described in the next sections.
The ransomware which the user gave permission to run will do this for you.
Now I can go on, but that would defeat the purpose and cause you the reader to have great disdain upon me which I do not want. What I do hope that you come away from this little soliloquy is that all this sensationalist news is just that, sensationalism that is built upon the ignorance and ego of people with lots of titles and abbreviations that work for companies without a lot of money and no common sense or governmental entities that do not know the difference between cybersecurity and a rabid Tasmanian devil with bright red eyes that quotes Voltaire.
It need not be, nor should it. It can be changed, by you the user, one step at a time.
In case your interested you can see both strains in action