Ransomware Attack

Posted by : on

Category : research


Slides at slides


Ransome

minifilter

ransom analysis1

unveil : protection

hardware protection

hardware protection


Attack Defense Paradigm

I attack your computer based on your OS source code

I protect my computer based on your attack source code

Never end

Testing Frame Work $\rightarrow$ Statisitcs

OK, if system A fails at 5 different virus and system B only fails at 1, who is better? You can’t tell.


Need an index that’s independent from protection method and attack method.

  • Ideal defense $\rightarrow$ no ransomware anymore
  • k-lag defense, let ransomware run $k\ \micro\text{s}$ and see the destruction.
    • Destruction means the unrecoverable data in mapped disk(target storage region which stores targeted files to ransomware)

Question :

How generic should this testing framework be?


Generic

Generic meeans the testing framework should be independent of variables. But what are those variables. If storage system types isn’t one of these variable, then I think the way is to widely test upon GFS, XFS, mySQL, postgreSQL …

Variable can also include the type of ransomware :


Observation

  • Current ransomware are hard to work with because
    • server might be off-line (Many can’t connect to server).
    • only available on windows, hard to probe
    • some ransomware destorys the system (ban all the system-level operation, not allowing you to probe any system-level data)

  • With working ransomware, still
    • hard to standardize, why choose this one over other ransomwares?
    • not summable (fs lost 70% data over ransomware1, 80% data over ransomware2, another file system fs’ lost 90% data over ransomware1 50% data over ransomware2), which is better? Can we take sum over any data?
    • Most of ransomwares disregard remote backups, while having access to credential manager.

Standardized ransomware

  • Healthy : do nothing except for encryption data
  • Transparent : can be adjusted for testing framework
  • Working : can encryt data without the existence of server.
  • Flexible : can do batch test.

How does storage systems do their journal?

  • Many of the storage systems don’t do data journal, they do metadata journal only for performance.
  • Some systems do coW, but that’s per transaction, the amount of recoverable files are limited.

Data backup

Generic way to defend against ransomware.

So need to study journal and logging behavior…

The most important problem is frequency and expiration rate of those backups, I think.

Now I think those can be omitted because index should be from “stationary” data backups and calculate their ratios.


Backup Resources

AFS backup

backup command


Remote backups : crisis on credential manager

The following 3 slides are from https://www.nirsoft.net/utils/credentials_file_view.html

Data Stored In Credentials Files

Windows operating system stores the following information inside Credentials files:

  • Login passwords of remote computers on your LAN.
  • Passwords of mail accounts on exchange server (stored by Microsoft Outlook)
  • Windows Live session information.

  • Remote Desktop 6 user\password information.
  • Internet Explorer 7.x and 8.x: passwords of password-protected Web sites (“Basic Authentication” or “Digest Access Authentication”)
  • Password of MSN Messenger / Windows Messenger accounts

Credentials File Location

You can find the Credentials files of Windows in the following locations:

C:\Users\[User Profile]\AppData\Roaming\Microsoft\Credentials (Windows Vista and later)
C:\Users\[User Profile]\AppData\Local\Microsoft\Credentials (Windows Vista and later)
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials (Windows 8 and later)
C:\Documents and Settings\[User Profile]\Application Data\Microsoft\Credentials (Windows XP)
C:\Documents and Settings\[User Profile]\Local Settings\Application Data\Microsoft\Credentials (Windows XP)

Those are no valid locations, but I duplicated .crd file to desktop and find the encrypted results.

And there are ways to decryt those account / password

CredentialsFileView is a simple tool for Windows that decrypts and displays the passwords and other data stored inside Credentials files of Windows.


Ransomware operates at your comp. Message protection will be likely to fail.

You logged in to onedrive today, so your cached verification will bypass the text-message-verification.

Then you have a ransomware.

But in testing framework’s perspective, what are we testing against? The expiration rate of cloud service?

Are we testing subject storage system or the cloud backup sub-system?


Remote storage

summary (might expire)

GFS


Implementation

Need this tool to be portable, probably have to encapsulate the code and provide some APIs. However, the probes within BIOs should be enforced (not optional).

Ideas, now I don’t think these are going to help:


Windows & IO


Current obstacles

  1. NTFS does NOT have data journal. Typical ransomwares don’t exist on linux.

  2. Don’t really know how to trace journals and logs(def unable to do it in block level) in Windows and with storage systems that I can’t access source code.
    • Implicit problem, layering : how to trace data backups ?
  3. Might need to build a standardized ransomware(may need to study the repos on github a little bit)

  4. False positive : it happens to many Filesystem Filters based detecting tools.

Current obstacles (cont.)

  1. More comments on false positive : it also suggests a software-subjected detection is worse than system-subjected detection.

  2. I don’t think logal backups have any meaning because backups essentially are files.

  3. If local backups failed all the time, then aren’t we just testing the cloud service’s security. a.k.a. how likely it can be accessed by ransomware?


Update : Design and New thinking (2023-05-04)

Several things mentioned in the meeting


  • We need to target several storage systems, the only thing we need to care about is the data backups.
    • Most of the targeted systems only have one copy of data (e.g. NTFS only logs metadata)
    • So we need to simulate remote backups

  • Testing framework needs to utilize several core features of ransomwares.
    • To do that we need to analyze the behaviors of ransomwares (existing)
  • We can adjust assumptions on
    • ransomware privilege level
    • storage backup time (meaning at those time the back-up storage is connected to OS)
    • back-up frequency (we have backup)

Mini filter, our solution to NTFS

mini filter mini filter APIs


ACL problem

ACL


Solution to “Discrete” statistics

What if the backups are either all-encrypted or all-safe.

Divide into two aspectes

  • Security

  • Consistency


Notes on security

In data backup industry, security usually means how safe the remote server is, that is, even when malware has external access to the server, how safe your data is.

They typically do it via data encryption.

Note that this is no longer valid to ransomware because ransomware can have the same access right as normal user


Log-strcutred FS : Natural Killer of Ransomware

f2fs

  • I can use GC attack to clear your logs

linux ransomware


More notes on GC : F2FS

This policy selects a victim section not only based on its utilization but also its “age”. F2FS infers the age of a section by averaging the age of segments in the section, which, in turn, can be obtained from their last modification time recorded in SIT. With the cost-benefit policy, F2FS gets another chance to separate hot and cold data.


Bonus : IPLFS

https://www.usenix.org/conference/atc22/presentation/kim-juwon

&

How to center the image in marp

network cs425 DFS cs440


Current Structure of Our Testing Framework

center ransomtest


Ransomware Report and Key Characteristics

and deleting the shadow copy of user fles

According to (Kharraz et al. 2016) there are three ways ransomware encrypts fles: (i) overwriting originals iginals, and (iii) encryption and secure deletion of the originals

rm calls unlink. They have slight difference but for testing system, they are basically the same.


Tracing

strace

blktrace, blkparse, btt

sudo apt-get install blktrace

Report

center ransomtest


Mapping from Ransomware Set to Standardized Ransomware

ML Rans

  • Need to show ransomware can be mapped to a certain group of characteristics
  • Many characteristics about ransomware are encryption related, so it’s not related to target system
  • So the only sets of characteristics should be :

Propagate

shared folder

Might need to check AFS, NFS, and more sharing related storage systems to check if the webservice network is secure enough.


NFS

main page server client setup(Quick) tutorial


Ext4 Mapping problem

extent


About moomoohorse
moomoohorse

Hi I a Hao Ren. Please know me in mywebsite

Email : haor2@illinois.edu

Website : http://moomoohorse.com

About moomoohorse

Hi, my name is Hao Ren.