21

Question

After reading about how basic ransomware targets and encrypts your files. I was wondering if it would be plausible to write your own script to try and detect such activities?

Initial Research Effort

I have looked at different ideas people had previously on this site:

I know of one tool that already advertises to do something like this, but I would assume the attackers already took note of that tool and will try to circumvent it. Maybe they also would just assume that the average user won't actually install this sort-of thing and the < 10% that did are irrelevant to the attackers.

Assumptions

In either case, from my understanding (and please correct me where I am wrong) the most widely spread crypto - ransomware actually:

  • runs with user privileges
  • accesses a limited set of the user's files (defined by file extension)
  • creates many new files under a new name (either new extension or completely encrypted)
  • deletes the original files properly (I assume they would overwrite the original memory to avoid people just using a simple file restore tool?)

Back to a more specific Question

Under these considerations, it appears entirely plausible for me to write a script that can monitor my most important files and locations. And to make my question more specific:

Is it true that many widespread crypto-ransomware (e.g. TeslaCrypt) work under those given assumptions (above)? And if there are actually more elusive tactics employed, would they easily avoid detection if my own monitoring script relies on standard file-access monitoring?

Side Notes in regards to what I would assume the anti-crypto-tool would be doing:

The tool could even be combined with a honeypot approach to get immediate alerts and kill processes that try to change anything in a specific set of files that look like normal personal documents.

I am aware that the recommendation is not to write your own crypto software, but I am looking for advice if you would encourage people to write anti-ransomware software to at least try to create another layer of security.

I am also aware that backups are more important in this case. I am not thinking of replacing backups with my own homegrown script and I am also aware that testing will be difficult.

The question is more directed at why there are not already more anti-crypto-ransomware tools, given that their approach could actually be detected with some basic file-monitoring. Maybe my assumption is wrong in this and I would love to hear from you why that is.

Community
  • 1
Chris
  • 735
  • 7
  • 15
  • 8
    Why aren't there more tools? Because most people don't care until it hits them. – SEJPM Mar 24 '16 at 10:24
  • 1
    Bitdefender Internet Security 2016 offers exactly that (optionally) - monitoring files and detecting changes to them. It doesnt matter if the ransomware developers know that this exists, theres no way around this monitoring. – James Cameron Mar 24 '16 at 10:50
  • What I meant was - why aren't there more open-source home made solutions, but maybe it's just not as trivial as I imagine. – Chris Mar 24 '16 at 10:57
  • 8
    One problem is that by the time the ransomware trips your alarm by encrypting a file that's being monitored, it may already have encrypted lots of your important files. – Simon B Mar 24 '16 at 11:26
  • Sure, but if that happens at 10%, I may be able to avoid the majority of the damage and recover the already encrypted files from backup. – Chris Mar 24 '16 at 11:50
  • 10
    There is amazingly good protection called backup software/utilities? A good backup routine is most often the best defense against ransom ware? I've fixed a computer recently with a backup hard drive, DVD and in less then 40 minutes. With minuscule losses. – Simply G. Mar 24 '16 at 15:28
  • 1
    @SimplyG. +1 Just do backups across multiple devices (cloud software does that for you). If one gets infected recovery is a matter of delete, copy and paste. – marstato Mar 24 '16 at 16:55
  • @marstato It won't take long until ransomware detects files in the cloud too, and your backups are also wrecked. – ott-- Mar 24 '16 at 17:47
  • 1
    My backups are wrecked the moment one of the devices overwrites the original files with the corrupted ones. I configure my devices to keep a versioning history and keep at least one offline at any given time. – marstato Mar 24 '16 at 18:35
  • @JamesCameron No way around this monitoring? A rather trivial case comes to mind immediately: the malware could simply kill the process involved. How does it counter that? – Mason Wheeler Mar 24 '16 at 19:04
  • It's actually a yes or no question - I know it's not very technical, but is this site only for technical questions? I see plenty of "I need advice if this or that is a good idea" questions. I thought a lot about how word the actual question and I am asking like you would ask a consultant - is it even plausible to do this, before people start wasting time trying to do something that is generally not recommended. – Chris Mar 25 '16 at 00:39
  • Your description of malicious behavior from ransomware also describes perfectly legitimate applications, like Word. When you save a document it writes high-entropy data to a new name, deletes the old one, and renames the new one. Good luck with the false positives. – nobody Mar 25 '16 at 03:28
  • 1
    I'm not sure why this is on hold. 19 upvotes, and he does have a specific question - it's the title of the question. I do think the body requires a bit more editing to stick to the spirit of the title question, but definitely shouldn't be closed. –  Mar 25 '16 at 05:43
  • @AndrewMedico yes, but word does this with a VERY limited set of files (unless you are referring to some system files?) And it would be trivial to white-list an application like Word, so I don't see the problem. – Chris Mar 25 '16 at 06:24
  • From my understanding the ransomware will encrypt as many files as possible - evidently Word or any other application doesn't edit a large number of files in this fashion, but maybe the ransomware just encrypts everything in a likely unmonitored location on the hard-drive and then tries to delete all files at once, instead of some incremental approach - or - maybe they do a lot in memory - that's why I tried to make that part of my question more clear - to find out if my assumptions are too simplistic. – Chris Mar 25 '16 at 06:33
  • @TechnikEmpire - yes, I shouldn't divert from the original question - it's a bad habit ... – Chris Mar 25 '16 at 06:40
  • @Chris If you can whitelist effectively, why not just stop there? The ransomware won't be on the whitelist, so it won't be able to run. – nobody Mar 25 '16 at 13:09
  • @AndrewMedico you mean simply have a global white list of all applications that can run? Well I don't think this is suitable. What if the malware runs as a python script? I do want to use Python - so I would have to include it on the white list... I guess you see the problem. – Chris Mar 25 '16 at 21:49

3 Answers3

21

Why there are not already more anti-crypto-ransomware tools?

Because there are. They are called virus scanners and they should have heuristic algorithms to detect this behavior. Unfortunately the ransomware-developers are smart enough to test their creations against all commonly used virus scanners and make sure they circumvent their heuristics somehow.

And before you start writing your own solution hoping it is somehow not covered by all the evasion tactics used by this kind of malware, setting up a backup solution is usually far easier and protects you from far more problems than just ransomware.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 4
    It just seems implausible from the reports I have seen that they can not be detected. As I already set - this isn't about avoiding backups, but an additional layer ... – Chris Mar 24 '16 at 10:59
  • 2
    @Chris sites like [VirusTotal](https://www.virustotal.com/) in addition to the legitimate benefit of letting suspicious users ask "Is this safe" allow malware authors to keep iterating on their spoof until they've defeated every scanner on the market prior to releasing a new version. – Dan Is Fiddling By Firelight Mar 24 '16 at 19:51
8

Your question becomes broader as it goes on, so I'll aim to simply answer the question in the title. Also note I'm answering from a perspective of making a solution on Windows. The same concept could be taken over to *nix though.

Would it be plausible to write your own anti-crypto-ransomware tool?

Sure, there are things like the .NET TraceEvent library that are very easy to use where one can monitor absolutely everything happening on your computer in real time. Ever since Vista, the Windows Kernel generates boatloads of information about absolutely everything that takes place on your computer.

This includes when a program loads a DLL, calls a system function, allocates memory, begins to access a file, completes a modification to a file, attempts to do anything related to networking, so on and so forth. There's so much data being generated by the Kernel, you'd probably kill the computer if you tried to read it all into user space in real time.

Just from this information alone, regardless of how crafty these dopes writing this software are, you could keep your stuff safe via whitelist of processes that can make modifications to your files. For example, the moment the Kernel raises an event about a process that is not found in the whitelist accessing a file in a certain path, you murder the process in cold blood. Simple in concept and could be implemented in < 500 LOC (I know from experience with TraceEvent).

Obviously there's a bunch of unforeseen things that need be to addressed once you actually try this, but in theory it's simple. This wouldn't be perfect, maybe it would get away with ruining one or two of your files before you kill it because of the variable delay between the actual time something happened and the time the Kernel alerted you, but this would be a solid start, if your sole concern is preventing the full effects of ransomware that encrypts data you can't lose.

From the comments:

Why aren't there more open-source home made solutions

As someone who publishes things open source - this stuff takes time. Good development is hard, time is limited, and there is no cookie to be had or even a dollar to motivate you to take interest in something like this. Whenever people do work on something they plan on publishing open source, it's going to be something that interests them.

How many programmers are such masochists that they think "I want to spend my free time working on software that will invoke a never ending onslaught from shady people who will work tirelessly to circumvent it? Oh, and for free." Not many.

Regarding

"Anyway, I am aware that the recommendation is not to write your own crypto software"

As snowman points out in the comments, it's not writing your own software which uses existing crypto that people warn you against, it's trying to roll your own cryptography software/methods that people warn against. All that said, this doesn't require crypto at all, it's simply a file and process monitor that would only be effective because its like a bouncer that just shoots anybody who comes near the club and is not on the VIP list. The downside is that maybe someone he shoots is someone you really care about and simply forgot to add them to list. :)

Edit

Just for fun, I tried this. Relevant code is here on Github. When I simply browsed to the protected directory, so many Windows processes associated with explorer.exe got instantly murdered that I had to log out because things like my start menu stopped working. But hey, if you throw in some hashes of the files and build a whitelist of Windows processes, then you're all set. :)

I wanted to add a second program and call it Kingpin and have it deliberately try to encrypt all the files in the protected directory, but I've been staring at my screen for two days and I'll have to come back to it after I rest. As you probably imagine from the names, I've been binge watching Daredevil.

Edit, Again

I've done some research into this on Windows. Turns out that from 8 onward, Windows keeps a directory of all binaries and such necessary to completely rebuild your OS. This is the WinSXS folder. Why this is relevant is because of the concept of whitelisting here and the problem of not killing the OS when a user tries to browse to folders. You could use SFC and DISM to verify the integrity of this cache, then scan this folder and generate hashes for every single binary you discover. Viola, the OS is whitelisted.

Community
  • 1
  • 8
    That last paragraph makes a good point, but I would stress that the security community often tells people not to implement their own _crypto algorithms_, not to avoid writing _software that uses crypto_. It is perfectly okay to write your own program to encrypt something, as long as the actual encryption is performed by a high quality library using a proven cipher. However, as soon as the software is sold or distributed (i.e. someone other than the author may rely on it), peer review is important. –  Mar 24 '16 at 15:30
  • 2
    @Snowman You're right, I'll make a note to edit and word that better when I'm not so exhausted. –  Mar 24 '16 at 15:31
  • 2
    I'm going to come back to this later and make a program that will compile new, randomized programs on the fly that are meant to try to hurt the protected files in various ways, and just let it run. It's an interesting experiment. –  Mar 24 '16 at 16:35
  • 1
    On the plus side, at least these people can be resurrected. ;) – jpmc26 Mar 24 '16 at 23:59
  • 1
    From someone that works with encryption and development, my view is that its hard enough to take perfectly good existing and well-tested encryption libraries and implement them correctly. My guess is that a large number of those that do this without experience fails. And creating bad encryption is really, really dangerous. Because then you put faith in something to be secure, that isn't. +1 for the peer review comment. – Simply G. Mar 30 '16 at 04:26
1

For Windows at least, you don't need to. Windows includes process-whitelisting features called Application Control Policies. You define locations, digital signatures or file hashes that are allowed to run, and all other processes are blocked. If the user does not have write permissions to any path that is whitelisted (which is a best practice when implementing Application Control Policies) then the user should be immune to cryptoware that launches its own process.

But if your users are administrators or have write access to whitelisted locations, then you are already on the wrong side of the airtight hatchway.

longneck
  • 273
  • 1
  • 8