Por Nuno Ricardo Ribeiro Pinto Linkedin

  • Principal Cyber Incident Responder at Asceris | OSCP | CHFI
  • Alumno de la 1ª edición del Máster en Reversing del Campus Internacional de Ciberseguridad.
Nuno Pinto
Nuno Pinto

Por Nuno Ricardo Ribeiro Pinto Linkedin

  • Principal Cyber Incident Responder at Asceris | OSCP | CHFI
  • Alumno de la 1ª edición del Máster en Reversing del Campus Internacional de Ciberseguridad.

Detección de actividad de ransomware

Ransomware is a type of software application that uses state of the art cryptographic algorithms to lock the access to digital assets, in exchange for the restauration of said access it demands a ransom. It is an old concept, and was first executed in 1989, however the concepts of distribution of the ransomware and the collection of the ransom were difficult to implement.

With the massive use of the internet and the appearance of cryptocurrencies, the concept got all the ingredients left to become feasible with high levels of anonymity. As result, the ransomware attacks have rose exponential until 2021, costing the world $20 billion in that year. That number is expected to rise to $265 billion by 2031. The consequences are more than financial, there are extreme cases of national infrastructures shut down with gas prices rising affecting the national economies, to a case where a person died in an hospital after the systems have been compromised by a ransomware attack.

source: Mid-Year Update: 2022 SonicWall Cyber Threat Report

Due to this ransomware pandemic, there is an urgent need to find solutions to stop it.

Previous related work:

  • The Ealy detection of crypto-ransomware using pre-encrypted detection (S.H. Kok A. A., 2020) focus its research on detecting ransomware before it is executed. For that it implements two levels, the first one is a signature based one (like the classic modus operandi of anti-virus software), the second layer uses a Learning Algorithm (LA) that can detect crypto-ransomware based on pre-encryption application program interface (API). This is called a Pre-Encryption Detection Algorithm (PEDO).
  • No Random, No Ransom: A Key to Stop Cryptographic Ransomware delivers a slightly different approach. They “propose a strategy to mitigate ransomware attacks that considers pseudo random number generator functions as critical resources, controls accesses on their APIs and stops unauthorized applications that call them.”
  • A New Ransomware Detection Scheme based on Tracking File Signature and File Entropy, from Brijesh Jethva. The author presented an “upgraded dynamic ransomware detection model with two new sets of features: grouped registry key operation, and combined file entropy and file signature.” (Jethva, 2019) And then he analysed “the new feature model by exploring and comparing 3 different linear machine learning techniques: SVM, Logistic Regression and Random Forest.”

The hypothesis formulated for this thesis was that it is possible to block ransomware execution in its preliminary stages of execution based on the frequency of calls to Windows operating system Cryptographic API functions without interfering with the normal operating system processes, user activity and legitimate software.

I’ve detonated 7,360 samples using a CAPEv2 sandbox with a total of 369 detonations returning expected results. The 369 successful ransomware detonations represent 38 ransomware families.

Families and number of samples used in the study

I’ve carried out a study on the 369 different samples about the call frequency to two Cryptographic API functions and four File System API functions, those were: CryptEncrypt, BCryptEncrypt, NtCreateFile, FindFirstFileExW, NtQueryInformationFile, and NtSetInformationFile.

From the study, I have concluded that:

  • The CryptEncrypt API function was observed being called exclusively by 35 of the 38 ransomware families and by some samples from 2 ransomware families, whilst none of the legitimate software was observed calling it.
  • The BCryptEncrypt API function was observed being called exclusively by 1 of the 38 ransomware families, and all the legitimate software that called encrypting functions also call BCryptEncrypt API function.
  • 2 ransomware families had samples that called CryptEncrypt and other samples that called BCryptEncrypt, likely old and new versions.
  • Several legitimate software has a higher call frequency to the File System API functions than ransomware applications.

As part of the thesis, I have developed an application, named NoCifraras to stop ransomware execution based on API calls to CryptEncrypt function. The application also monitors the frequency calls to BCryptEncrypt and NtCreateFile API functions. It consists of a main program named ProcessMonitoring, an Injector and a library named f4d0mon. The ProcessMonitoring identifies new processes on a given Windows Operating System and invokes the Injector. The Injector injects a DLL file into the new identified process. The DLL library file monitors the API functions calls of the injected processes and kills processes according to configured thresholds.

The Injector module used the common remote injection technique, using the Windows API functions VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, GetProcAddress, and LoadLibraryA. This technique is normally known by the CreateRemoteThreat API function.

The f4d0mon module, which is responsible for monitor the API calls inside each process it is injected into, uses Microsoft Detours library to hook the API functions. It currently hooks CryptEncrypt, BCryptEncrypt, and NtCreateFile. It counts the call frequency and prints it to a Windows debug console. Additionally, it has hardcoded a threshold limit to the call of CryptEncrypt API function to one call per second.

Microsoft Detour with and without interception

Figure 3 – Microsoft Detour with and without interception.

The results of this thesis:

  • From a universe of 38 ransomware families, the CryptEncrypt API function was observed being called exclusively by 35 ransomware families and called by some samples from 2 ransomware families. Whilst none of the legitimate software was observed calling CryptEncrypt API function.
  • NoCrifraras application was able to leverage the call to the obsolete function CryptEncrypt to block all samples from 35 families and some samples from 2 families.
  • I have observed that legitimate software calls BCryptEncrypt function and other File System API functions with the same or with higher frequency than ransomware applications. Therefore, I was not able to elaborate a model that stops ransomware that uses BCryptEncrypt


Si quieres ver el proyecto completo de Nuno, rellena el formulario y te lo mandamos a tu correo electrónico.

¿Quieres obtener el mismo conocimiento que Nuno?


Comparte este post