In many information security publications, ransomware is mentioned with the same kind of horrified reverence as terrors such as climate change, Ebola, or the Death Star—to whit, a terrifying enigma with world-devastating implications. Much of the fear is visceral, however. Experiencing a traditional data breach is a lot like getting home to find that someone has copied all of your DVDs. When you’ve experienced a ransomware attack, you’ve either lost money or irreplaceable data.
Thinking logically, however, enterprises aren’t much more or less likely to experience attacks than they were before. More to the point, the ransomware that’s coming out nowadays isn’t even that much more sophisticated than the garden-variety malware that came before it. We’ve already covered how most ransomware variants aren’t that different from one another—now let’s talk about the very few ways in which what is ransomware now, differs from other forms of malicious code.
Ransomware Still Isn’t That Different from Ordinary Malware
What is ransomware and what does have in common with every single other kind of virus? It has the need to hide from detection. Nearly every kind of malware does this partially by encryption—this can confuse signature detection because instead of seeing the malicious executables, they just find random strings of alphanumeric text. Most antivirus programs now know how to look for these strings of text—hashes—but it is very easy for malware programmers to alter the underlying substructure of their files in order to make that hash appear different.
Other Detection-Avoidance Routines Include
Timing: If an endpoint detection system doesn’t possess continuous monitoring capabilities, malware with timing-based obfuscation can run circles around it. This kind of malware is only designed to run when absolutely necessary, such as after a user reboots their computer, in order to avoid operating simultaneously with a malware scan.
Communications: Malware is basically built to steal data—which means that malware designed in this way must usually “phone home” to its makers. Antivirus programs will look for programs that communicate with certain servers, domains, and IP addresses which are known to host command and control servers for given types of malware. By rotating these addresses, malware can evade antivirus programs which are programmed to look only for a small range of C&C servers at a given time.
Awareness: Here’s an idea—why spend all the time and trouble to evade signature detection, when you can prevent researchers from making a signature in the first place? Many malware tools have specific sensors that allow them to detect whether they’re in a virtualized environment, allowing them to either evade honeypots or thwart security researchers from unpacking their components.
Ransomware does not substantially deviate from using these methods. String obfuscation is a relatively advanced method of encryption that is found in a lot of garden-variety malware, and also in ransomware such as CryptXXX. Other variants use less sophisticated encryption strategies—.CRYPTED uses a version of a XOR cipher, a technique that’s been in use since the Cascade virus in 1986. The Cryptowall ransomware has rudimentary sensors to detect whether it’s in a virtual environment. Essentially, none of these ransomware programs are particularly different from malware in their obfuscation efforts.
The real difference, of course, is payload. Ransomware is designed to do novel things, like (obviously) encrypting large amounts of files, deleting the Shadow Copies that allow users to restore from backup, and using C&C servers to store the encryption keys that allow users to unlock their files after they’ve paid up.
All of those actions, however, are behavioral mechanisms. Signature-based antivirus doesn’t look for behavior—rather, it seeks out identifiable characteristics of malware, such as the names of running processes, the hashes of encrypted files, or the servers that the malware phones home to. These characteristics are easy to mask, as we’ve just shown, and once ransomware begins to take action, there’s no way for signature-based malware to know that bad things are happening.
The difference between what is ransomware and what is malware isn’t that significant—one isn’t even much more dangerous than the other—but the immediate aftereffects of a ransomware attack are a lot more shocking. Don’t get shocked.
The post What is Ransomware? The Ransom-Based Malware Demystified appeared first on SentinelOne.
*** This is a Security Bloggers Network syndicated blog from SentinelOne authored by SentinelOne. Read the original post at: https://www.sentinelone.com/blog/ransomware-ransom-based-malware-demystified/