Rendering Ransomware Detection and EDR Products Blind

okay let's get started you still hear me yep you're good together excellent well my name is Suren neck Olga and I always dreamed of speaking at besides SLC so this dream come true we really appreciate organizers and sponsors to put this together a topic of the day I think it's a pretty hot topic ransomware we even though I believe it or not ransomware started back in the 80s but three four decades later we still for some reason seems to be unable to tackle that problem and that's exactly what my presentation today is about and quickly about myself or when I called I have been in security for quite some time worked for companies like Altiris Symantec Citrix and a

number of startups mostly in the areas of anti-malware encryption and insider threat so today's talk is is about ransomware and why we can't seem to be able to tackle this problem I will very briefly talk about how ransomware works then I'll spend some time going over four typical methods that the cyber security industry and endpoint security products attempt to detect and stop ransomware with all of their pros and cons then I'll talk about how things can get even worse and talk about one of the evasion techniques that ransomware can potentially leverage to be even more deadly and finally I'll show a couple of live examples of ransomware that's bypassing two major endpoint security products so let's get going I've already

showed this and shared my my desire for for connection and these strange times so again appreciate that the organizers decided to continue with the event even in this online forum okay so let's get down to business how what's the typical ransomware our workflow I'm not gonna talk about how ransomware gets in whether it's fish insecure RDP or something like that right that's the relevant we all know that the bad guys will find a way but then what happens then obviously a ransomware tries to find your valuable files your office data maybe a database maybe pictures it tries to it will keep the system files in place because it wants the OS to be still bootable so it can display the

message and ask you for some bitcoins so it reads those files that it wants to encrypt it encrypts the content in memory and then it has a choice of what to do how to get rid of the original unencrypted files and it can they choose to do one of the following things and there are other ways as well and I'm just listing three here one option is to save the new encrypted file on disk and then use a delete file operation to get rid of the original file now the option pretty devious one is to ride in crypt the data straight back into the same file into the original file and maybe even keep the same filename and that may

make the restoration even more difficult and then another option is to create a new file on the disk and then replace the original file using rename operation so these are just been a few ways ransomware can get rid of the original data and that's pretty important to understand if you want to stop ransom right so now let's look at the various detection methods that the industry has been putting forth to try to detect and stop ransomware and as we all see from the news obviously those attempts so far has not been very successful unfortunately I'll describe and explain exactly why so let's start with one of the more basic static file analysis this is this is a

generic approach that antivirus and anti-malware and anti ransomware products leverage to stop any virus including ran so it's not specifically designed to ransomware per se but so this is where an anti-virus or similar product looks for some signature right it can be sequence of terms words and things like that and what are the pros well I'm false positive rate FPU great is pretty low it's very rare when an anti-virus product says that this binary is malicious while it actually isn't so that's that's obviously a plus because we're already security professionals we are overwhelmed with those alerts and false positives it's pretty important actually it stops attack before any files are encrypted so it does not sacrifice any files before

it triggers the defenses and that's great and what what are the cons well obviously we all know signature-based tools are pretty easy to bypass even if they leverage and machine learning or AI base signature so it's it's pretty easy to bypass so hence false negative rate is pretty high and how the bad guys how do the bad guys bypass those defenses well they use crypto attackers and various ways of obfuscating and changing those those signatures for every attack they launched okay so let's move on to another technique not a pretty basic even surprising technique I would say is a common file extension blacklist based approach where a security product will look for well-known ransomware extensions and say

oh if the file is being created with this file extension you've got something then it must be ransomware so we stopped it and what are the pretty low AFP rate and and again no damages that or maybe one file is sacrificed to ransomware but then defenses kick in and ransomware stop well obviously I don't need to explain probably that it is very trivial for for attackers for ransomware writers to bypass unfortunately the only thing they need to do is to use a you know random file extension or change the file a file extension or not rename files at all right keep the same file name with the same extension after they encrypt the data and if you don't believe that

to these these tools are actually the this technique is actually being used in some of the leading security products I have obviated them the logo of the product here but then you can see this one of the radio buttons file encryption process that created a file with an known ransomware extension was terminated and then there is even a separate setting specifically for lauki ransom so believe it or not that method is actually being used next deception right this is where a security product we create a set of files can Beit files and if any of those files are touched then then we can commit the process that touch those files as ransom so it has a benefit that it can detect

grants aware that other methods may not be able to edit file analysis is the first method look at now what are the clients well obviously there is a very high chance for FPS here false positives because typically well because one the user can touch those files over or a program that I can touch those files and hence trigger those defensive mechanisms and and then of course the bad guys know about all these methods so as these bait files or honeypot files tend to be created as hidden files or folders and ransomware I can just bypass and skip those those all hidden files and folders and hence not trigger this particular method moving on to a little bit more

advanced techniques one being the mass file operation what is ransomware no what is ransomware typically known to be doing right it will do a lot of reads and writes and probably delete or rename operations well what if we define some kind of a threshold limit like if we see so many of these file operations within that certain period of time then it seems like this is ransom so again but it's it's a little bit more sophisticated so hence it can detect some of the ransomware that other methods may not be able to detect but obviously there is a concern about false positives here as well because you as a user may be legitimately just moving one folder to

another right and that would potentially trigger this threshold and then some files will likely get encrypted will get sacrificed before this threshold is met and finally the the attackers our attackers bypassed these methods they the either slowed down the encryption process of potentially spawned multiple processes for four different files that they encrypting I believe that the infamous Urlacher Goga and ransomware actually was launching a separate thread for each file they wanted to encrypt and hence the encryption itself was actually super slow but maybe that's why Locker gogo was able to bypass even so-called next-generation antivirus products and caused significant damage and finally a kind of variation on the previous method is the measure method that measures the

change within the data itself within the files it's not just looking at the mass file operations but actually looking at the content of the data and measuring the randomness for example of the data using an entropy calculation and getting them there there are pluses like with all methods and it will have fewer FPS than the previously described method because this is more sophisticated it's not just looking at the mass file operation like moving a folder from one drive to another and however in even in this method some files will likely get sacrificed and then the attackers can only encrypt maybe parts of the file so random sections of files or or encrypted in chunks and thus potentially bypasses

these detection methods okay so this is kind of my very non-scientific rating of the effectiveness of the five methods I I just described from one to five as you can see none of them are at level five or even four so so that's one that's why we still see ransomware headlines in the news almost almost every week and that's why most endpoint security products actually combine multiple if not all of these techniques and their products in the attempt to increase the overall efficacy but as we all know unfortunately the efficacy is still far far from where it needs to be okay so let's switch gears a little bit no ransomware presentation is complete without mentioning wanna cry right this

is probably the most well known ransomware that the fact that over 150 countries billions and billions of economic loss surgeries they have to be canceled etcetera etcetera and that's everyone remembers about that but what some people actually don't remember I think is that wanna cry was actually completely stoppable completely preventable but because Microsoft actually released a patch for an underlying vulnerability almost full two months prior to the wanna cry attack happen so the only thing you had to do to be fully protected from wanna cry was to leisurely within two months apply Microsoft security patch you didn't even have you didn't need a firewall you didn't need an anti-virus you didn't need any other fancy products to be

fully and and still the damage was so substantial as just described on the previous slide so so what if what if there was a method that we actually don't have good defenses and that's that's and there are many I'm sure this is just one interesting evasion technique that our research team discovered last year and I'm gonna give you a little bit of details about this technique called replace it's as for arrest in peace and replace at the same time and so this is an interesting technique and why is it interesting is because it's not just an evasion technique that allows you to bypass your antivirus or anti-rattle air products but it also is a blinding

technique in a sense that it leaves no traces in tools like EDR endpoint detection and response that are meant to provide that kind of recording of all the events that happen on the on the laptops desktops and servers so that if attack happened and the damage was done you can so to speak wine the tape and and investigate this incident and and see how did the bad guys get it when what did they take and hence kind of you'll be able to the ideas you'll be able to fortify your defenses so those similar attack in the future would not be successful so the replace evasion technique actually not only bypasses the defenses but also leaves no trace in

those tools and that's what makes it quite interesting so what is replace exactly if you remember one of the first slides I showed you how ransom water works and specifically how it gets gets rid of the original unencrypted file well replace is a variation of this fourth of the third method the rename operation and what exactly happens here it actually leverages a pretty obscure function called defined dose device and what is defined those devices basically allows you to instead of pointing to a file directly use the sim link or symbolic link to point to it right it's kind of a shortcut right so instead of pointing and you can create a sim link for drive or a folder or your my secret

cheesecake recipe right so what happens here is that if if you pass a symlink to to a function that they're security products typically hook in order to evaluate whether this file system operation and is legitimate or or not whether it's done by a virus or or ransomware if you can as instead of a full path you pass a symlink using defined dos device the operation that the driver actually receives an error code while the operation succeeds so what happens here is that as the security products filter driver receives this error code 33 it assumes that the operation failed and hence it skips all the detection malicious activity detection logic completely while the operation actually succeeds so I know

I'm going a little bit technical here and you can read much more details and in our report about exactly how it works and we have a sample code POC code posted on our github repo as well but then I think most interesting thing is to actually see a demo of this of how this technique can bypass some of the leading security products so I hope you can still see my screen and I have a VM running here and what I have on this p.m. I have some some data and documents folder now let's imagine there's some sensitive data here and I also have a proc one running to see the results of the operation and and

this demo I'm sure I'm using Windows 10 built in anti ransomware a feature called a CFA or controlled folder access and and it's in as you can see it's enabled and it's the folder I am showing the data in is part of the default configuration as part of the protected folders so this CFA a technique is meant to specifically protect your data and resist ransomware so lets them now us to run and simulated ransomware and see what happens okay and my running is simulated ransomware here and if you look at the proc my results see the process ransomware that exe it attempted to replace or encrypt these four files that we just looked at and it got access

denied so see if they work as expected right it prevented ransomware from tampering with this data so we can double check that the data is indeed intact so now let's use the same ransomware but that leverages now this evasion technique this replace evasion technique that I just described so now let's run replace and something interesting has happened one we see that replace all four operations received as results success we don't see any any folder or a path or a file name anything right so it did something to nothing but now let's look at the date itself and as you see that actually the files were encrypted the files are gone now and and see if I did nothing right

so so that that was interesting so let me I'm roll back to another snapshot of this this demo and show you an example of different endpoint security product and this time it's not going to be Microsoft CFA it's going to be a leading endpoint security product by by Symantec Symantec endpoint protection or set so here is set up is is similar we have our croc Mon we have sensitive data this time it's not them it's not files or images this time it's it's a host file right that's a pretty important file to protect and we can see the file is just fine right now and Symantec endpoint protection and she has lots of different modules it has the

exploit mitigation unknown threat detection and a variety of other techniques everything is enabled everything default configuration and and one of the interesting capabilities that said as it specifically has a protection against tampering with host file or DNS a change in a host filed detection as you can see this is set to to prompt if anyone attempts to to tamper with these particular files and as you can see of course to the SAP is complaining here is actually I didn't update the definitions are all but to believe me if I had then the result would be exactly the same so that's that does not really matter so let's now run a simulated malware that or ransomware that attempts to encrypt

that host file that cell protects let's see what happens looks like a sip works exactly as as desired right says someone is trying to to tamper or modify house file and you want to block or allow this well obviously if we want to block this so if we look at the proc Mon you can see malware attempted to tamper with this particular file and it received access denied so let's double check the file is fine okay and so now I'm sure you already know where I'm going with this and now I'll attempt to do the same exact operation but now leveraging this evasion technique old replace and let's see what happens well as as expected you

can see replace that Exe received success in doing nothing there's no file path nothing so you won't be able to really investigate this if this happened and now let's look at the host file itself what happened there well not surprisingly host file is now encrypted so that's a kind of a quick demo and and again replace is just one of dozens if not hundreds of different techniques that the bad guys can can leverage to to bypass your defenses if those defenses leverage a blacklisting approach there's just no way to stay ahead of the attackers hundred percent of the time if all you do is attempt to attempt to investigate and stop there new this discovery received quite a bit of

coverage in there like sleeping computer and but then what can be useful for the audience potentially is that there is a very simple tool that we posted on our website that you can test your endpoint security product against this system for susceptibility to this replace technique it just attempts to include one file on your desktop that you pointed to just leverage uh store encryption so obviously you can just rerun it and get that file decrypted again if your security tool was not able to stop it so some of you may may ask that well why I am if this technique could be so potentially dangerous and damaging why release details about it right well obviously we followed the

responsible disclosure process and typically responsible disclosure is three months right we actually gave the industry about nine months we reached out to Microsoft we reached out to dozens of security vendors with the details about this evasion technique and we we got some response and there were a handful of vendors that actually address this issue in their antivirus and security products because it's actually fairly easy for security then there's to detect and properly handled rather this evasion technique but unfortunately from the most of the vendors we heard exactly nothing so at some point you you need to release this to the public and hope to put pressure on the rest of the industry to to address this issue to keep our

environments secure that's all I had to share with you so happy to to connect [Music] happy to connect with anyone LinkedIn is probably the best way to connect with me and yeah hopefully you enjoyed us