By: {persist} @ arkteam

Original author: Nolen Scaife, Henry Carter, Patrick Traynor, Kevin R.B. Butler

Original title: cryptolock (and drop it): stopping ransomware attacks on user data

Source: 2016 IEEE 36th International Conference on Distributed Computing Systems

Encryption blackmail software (also known as encryption blackmail software) attempts to blackmail users by holding their files hostage. This kind of blackmail is different from other types of malware, because its impact can only be reversed by the encryption key held by a remote attacker. Users can only retrieve their files by using anonymous payment mechanisms, such as bitcoin. This kind of malware has existed for more than ten years, and its increasingly widespread use now causes tens of millions of dollars of consumer losses every year. More and more law enforcement agencies have also become victims of extortion software, losing valuable case files.

Figure 1 blackmail software teslacrypt

There are three main difficulties in defending blackmail software. First, this kind of malicious software is easy to use, which leads to a small cost for attackers. Second, it is difficult to distinguish whether it is malicious software through behavior, and the most important one is mainly for small white users (never backup data).

There are three types of ransomware:

• Class A: Rewrite file content, open file, read content, encrypt, replace information, close file.
• Class B: inherit a, remove the file, and move in after finishing the work.

Class B: inherit a, remove the file, and move in after finishing the work.

• Class C: open the file, read the file, encrypt it into a new file, and delete the original file. (independent read / write stream)

Class C: open the file, read the file, encrypt it into a new file, and delete the original file. (independent read / write stream)

This paper implements the first detection system based on the change of user's data. The purpose is not to lose a file, but to lose a part to find malicious behavior and terminate behavior, which is based on Windows platform.

In this paper, three marks are proposed to detect extortion software

• Change of document type
• File similarity: the files before and after encryption are very different. Use the similarity retention function SDH to score the similarity. 0-100 points. 0 means nothing is the same. 100 means exactly the same

File similarity: the files before and after encryption are very different. Use the similarity retention function SDH to score the similarity. 0-100 points. 0 means nothing is the same. 100 means exactly the same

• Information entropy: the entropy value of encrypted or compressed files is very high

Information entropy: the entropy value of encrypted or compressed files is very high

Croptodrop maintains a process's "reputation" scoreboard. When a process triggers an identifier, it will be given a score. Once a suspicious threshold is reached, the process will be suspended and the user's permission will be requested for further operation.

Through experiments, it is found that no legal process will trigger three indicators. The scoring mechanism enables the tool to keep the score threshold low without causing significant false positives. Research shows that the single indicator detection mechanism has a high probability of false positives, and the three indicators are much lower. The reliability of cryptodrop is enhanced by the typical behavior of ransomware, which often triggers all three main indicators

This article takes advantage of a Windows kernel that uses drivers that allow calls between interposing processes and file systems. Such a method enables the tool not only to detect when files are changed, but also to prevent the mechanism from being modified by malware. This approach also prevents interference with disk encryption systems (such as BitLocker), which operate between the file system and the disk.

Entropy measurement: ransomware often writes payment instructions. These small low entropy writes over affect the average entropy. So a weight is added to ensure that low entropy and small read / write operations do not unduly affect the average.

When the protected file is read or written, the weighted average number of entropy update read and write operations of the bytes involved in the operation during the operation is calculated. Then calculate the difference between reading and writing, the difference is more than 0.1, indicating that the behavior is suspicious.

This measurement is stateless, and every read-write atomic operation that exceeds the threshold occurs. Although the threshold value is very small compared with the entropy value, it provides a solution to detect the increase of the entropy value.

Figure 2 structure of croptodrop

Figure 3 calculation formula of information entropy