Detecting Ransomware: The Same as Detecting Any Kind of Malware?

Ransomware burst onto the scene with high profile attacks against hospitals, law firms and other organizations.  What is it and how can you detect it?

Ransomware uses the same methods to initially infect an endpoint such as drive-by-downloads, phishing emails, etc.  Then it generates necessary encryption keys, communicates with command and control servers and gets down to business encrypting every file on the compromised endpoint. Once that’s done it displays the ransom message and waits for the user to enter an unlock code purchased from the criminals.  So at the initial stages of attack, trying to detect ransomware is like any other end-point based malware.  You look for new EXEs and DLLs and other executable content-like scripts.  For this level of detection check out my earlier webinars with EventTracker:

• 6 Steps to Determine if an Unknown Program is Safe or Malicious
• 5 Indicators of Evil on Windows Hosts using Endpoint Threat Detection and Response

As criminals begin to move from consumer attacks to targeting the enterprise, we are going to see more lateral movement between systems as the attackers try to either encrypt enough endpoints or work their way across the network to one or more critical servers.  In either case their attacks will take a little longer before they pull the trigger and display the ransom message because they need to encrypt enough end-user endpoints or at least one critical server to bring the organization to its knees.  These attacks begin to look similar to a persistent data theft (aka APT) attack.

Detecting lateral movement requires watching for unusual connections between systems that typically don’t communicate with each other.  You also want to watch for user accounts attempting to logon to systems they normally never access.  Pass-the-Hash indicators tie in closely with later movement and that one of the things discussed in “Spotting the Adversary with Windows Event Log Monitoring: An Analysis of NSA Guidance”.

So much of monitoring for ransomware is covered by the monitoring you do for any kind of malware as well as persistent data theft attacks.  But what is different about ransomware?

1. Detonation: The actually detonation of ransomware (file encryption) is a very loud and bright signal. There’s no way to miss it if you are watching.
2. Speed: Enterprise ransomware attacks can potentially proceed much faster than data theft attacks.

Detonation

When ransomware begins encrypting files, it’s going to generate a massive amount of file i/o – both read and write.  It has to read every file and write every file back out in encrypted format.  The write activity may occur on the same file if directly being re-written, the ransomware can delete the original file after writing out an encrypted copy.  In addition, if you watch which files ransomware is opening you’ll see every file in each folder being opened one file after another for at least read access.  You will also see that read activity in bytes should be matched by write activity.

Of course there are potential ways ransomware could cloak this activity by either going low and slow, encrypting files over many days or by scattering its file access between many different folders instead of following an orderly process of all files in one folder after another.  But I think it will a long time before enough attacks are getting foiled by such detection techniques that the attackers go to this extra effort.

How prone to false positives is this tactic?  Well, what other legitimate applications have a similar file i/o signature? Backup and indexing programs would have a nearly identical file read signature but would lack the equal amount of write activity.

The downside to ransomware detonation monitoring is that detection means a ransomware attack is well underway.  This is late stage notification.

Speed

Ransomware attacks against an enterprise may proceed much faster than persistent data theft attacks because data thieves have to find and gain access to the data that is not just confidential but also re-saleable or otherwise valuable to the attacker.  That may take months.  On the other hand, ransomware criminals just need to do either of the following:

1. Lockdown at least one critical server – without which the organization can’t function. The server doesn’t necessarily need any confidential data nor need it be re-saleable.  On a typical network there’s many more such critical servers than there are servers with data that’s valuable to the bad guy for re-sale or other exploitation.
2. Forget servers and just spread to as many end-user endpoints as possible. If you encrypt enough endpoints and render them useless you can ransom the organization without compromising and servers at all.  Endpoints are typically much easier to compromise because of their intimate exposure and processing of untrusted content and usage by less security savvy end-users among other reasons.

So beefing up your ransomware monitoring means continue with what you are (hopefully) already doing: monitoring for indicators of any type of malware on your network and watching for signs of lateral movement between systems.  But for ransomware you can also possibly detect late stage ransomware attacks by watching for signature file i/o by unusual processes.  So you need to be fast in responding.

And that’s the other way that ransomware differentiates itself from data theft attacks: the need for speed.  Ransomware attacks can potentially reach detonation much faster than data thieves can find, gain access and exfiltrate data worth stealing.  So, while the indicators of compromise might be the same for most of a ransomware or persistent data theft attack, reducing your time-to-response is even more important with ransomware.