Friday 2 October 14:00 - 14:30, Red roomSamir Mody (K7 Computing)
Gregory Panakkal (K7 Computing) download slides (PDF)CryptoLocker, CryptoWall, CTB Locker, etc. are well-known families of modern ransomware which use strong encryption algorithms with large asymmetric keys to encrypt target files, rendering them nigh on impossible to decrypt locally since the private keys are controlled by the malware syndicates. Therefore data recovery post a ransomware infection is a huge challenge. It is imperative to arrest the ransomware as early as possible before encryption takes place.Complex obfuscation and anti-emulation techniques used on the ransomware droppers ensure that static blocking in real time is difficult. However, low-level system-wide interception of designated events by security software allows close monitoring of the behaviour of untrusted executable code, which currently includes ransomware components, thus making contextual dynamic blocking a high-percentage option.Based on the runtime behaviour of several pieces of modern ransomware, this paper describes in detail the various stages at which ransomware processes can reliably be terminated, mitigating against false positives and performance degradation. We explore in depth the blocking of suspicious events such as data-overwrite attempts at both file system and disk levels, behaviour anomalies of OS processes, incongruous calls to cryptographic functions whether OS crypto APIs or statically linked OpenSSL library code (de-obfuscated in memory), etc. It may even be possible to adopt and adapt certain strategies to arrest ransomware for mobile platforms. We shall show a PoC demonstrating a novel anti-ransomware solution for Windows, optimally combining various strategies to generically detect and prevent attempts to encrypt target file types on disk.Click here for more details about the conference.