Ransomware threats aren’t a problem anymore. At least not as it used to be. Despite the popularity of cryptominers, bank trojans and mobile malware, the first place in all rankings is held by fileless malware, by which all the attacks begin. Other types of malware are estimated to be undetectable by signatures in 30% of all cases. These data concerning Q3 2018 were prepared by German network devices manufacturer, WatchGuard. This means that every third malicious file is a zero-day virus (it uses undiscovered software vulnerabilities or techniques to bypass security measures). The presented data gives food for thought, because we clearly see the rising trend of threats undetectable with traditional methods.
WatchGuard reveals that threat landscape nowadays is totally different from the one that was present two years ago. However, part of sociotechnic attacks is still focused on extorting money using cryptography techniques. On the other hand, Check Point shows detailed statistics concerning threats with focus on ransomware attacks:
The most serious encryption attacks were conducted in 2017. The malware was spread all over Europe using previously unprecedented vector. Ethernelblue and Double Pulsar exploits, using SMB protocol vulnerability, were stolen from NSA and caused global chaos induced by, ironically, US secret services. Hacking tools used for gaining access to civilian computers were the main reason behind huge outbreak of low-quality lowdroppers and downloaders. Mass-produced malware samples caused percentage drop in cryptographic attacks. However, we still need to keep an eye on ransomware attacks which will not allow to be easily forgotten. Couple of weeks ago we observed increased activity of GandCrab ransomware, also in Poland.
Can encrypting malware harm files protected by ZoneAlarm Anti-Ransomware? We have checked that at the producer’s request.
Check Point ZoneAlarm Anti-Ransomware – the basics
It is the first seconds after initializing a fake invoice or a notification of postal delivery that matter the most. This is when ransomware starts searching and encrypting the files – usually with AES-256 or AES-128-CBC algorithm. Then, on the server controlled by the attacker, public and private keys are generated by RSA algorithm. (usually RSA-2048 or a stronger one). This kind of public key is transferred onto the victim’s computer. There are also ransomware samples that already have a public key embedded in the code. Ransomware uses the public key to encrypt the earlier AES-256 key which was used to encrypt documents, movies, databases and computer games files. The issue of factorisation has been an insanely tricky riddle for modern computers – finding divisors of a gigantic prime number such as 2^2048 generated during the creation of public and private key. This process would take millions of years for home computers. Thus, an express solution to such math problem is impossible (finding two numbers which product yields said gigantic prime number). Should anyone pull it off, they could be rewarded with 1 000 000 USD prize for solving one of the major mysteries of the millenium which are the prime numbers. This is why, in terms of cryptography, huge prime numbers bring an advantage to the offenders. A movie titled “The curse of Prime Numbers” provides a great insight into the problem. The author explains why the efforts taken to break the RSA-2048 are doomed to fail.
Within a reasonable time, and without paying the ransom, it’s impossible to neither calculate the private key nor decipher the files, even for quantum computer unless:
1. Forensic bodies such as European Cyber Crime Centre – EC3 or Europol, together, take control over the server that hosts the halves of RSA keys or lead to the offender’s incarceration. The prosecutor usually offers shorter sentence if the suspect is cooperative.
2. The encryption algorithm used in the malware’s code should not be implemented correctly; only then the chance for successful development of deciphering tool that uses the vulnerabilities in algorithm implementation may arise.
3. Encryption algorithm used in the malware’s code is not using RSA (asymmetric cryptography), which, nowadays, happens extremely rarely..
Providing that one of the beforementioned conditions is met, only then it is possible to formulate a deciphering tool.
The steps of encrypting files by ransomware usually go as follows:
- The user receives an e-mail with a link or an attachment.
- The victim is redirected to a website with exploit kit – a tool for automatic computer infection (or the malicious document is immediately opened). Then, the malware communicates with the server controlled by the threat actor.
- Ransomware reproduces itself and runs the binary file. Very often it runs the vssadmin.exe process with a parameter in control of deleting Windows’ backup copies. For example:
"C:WindowsSYsWOW64cmd.exe" /C "C:WindowsSysnativevssadmin.exe" Delete Shadows /All /Quiet
- The files are encrypted with randomly-generated AES key. Then, the key is subject to additional encryption by the public RSA key. The private key, which is essential in decrypting, is owned by the cyber-criminal and may be revealed only after the victim pays the ransom.
- The malware downloads a ransom demand note and displays the alert on the desktop.
To furtherly scare the user, countdown timers are used. Usually, after 72 hours, the ransom amount doubles. In extreme cases, the decryption key is destroyed, which, theoretically, eliminates the chance for recovering the files. Practically, this alert serves merely as a scarecrow:
Although no statistics have been made, we know that paying the ransom (usually) allows the victim to decrypt the files. However, there are cases where the victim is unable to recover their files after having paid the ransom (due to the offender’s inability to identify the victim). Antivirus software is more and more often removing ransomware, which deprives victim of a chance to decrypt the files. What’s more, after encrypting files attack is not necessarily finished, because ransomware can load additional malware and steal private data, intellectual property and login credentials. Victims have to be alert to dishonest companies that claim to be able to decrypt files, while they really pay ransomware creators and then charge victim with cost with extra large margin.
Ransomware is an extremely dangerous type of malware because the data loss usually has gruesome effects.
ZoneAlarm Anti-Ransomware was designed to restore the encrypted files. The unknown zero-day sample, which is about to start the encryption, will be detected and neutralized. Thus, the important data won’t fall into irreversible loss.
The data may be quickly restored with just a couple of clicks, and the remains of the virus, including the encrypted files, may be removed safely. It is recommended to conduct a thorough antivirus scan of the computer using a reliable and effective tool: https://avlab.pl/test-bezplatnych-skanerow-antywirusowych-wrzesien-2017
ZoneAlarm Anti-Ransomware does not simply protect computers in a traditional way, which implies that the tool is capable of restoring all encrypted files but it won’t protect us from e.g. bank trojans. Contemporary antivirus software usually does not have file restoration functionalities. Even if they do, they’re only limited to protection of the user’s folders. It is a bit uncomfortable because such protection is not always running by default, so it does not cover the whole drive, but merely part of the most important folders (Desktop, Documents, Music, Downloads, etc.). The reviewed ZoneAlarm Anti-Ransomware developed by Check Point is one of the rare exceptions.
ZoneAlarm Anti-Ransomware is not an antivirus. It serves as a support tool to an antivirus software. It causes no conflicts, therefore, it’s safe to have it installed along with Windows Defender or some other advanced security pack.
Bringing the files back to the original state takes just a moment. Plus, it doesn’t require us to have a back-up copy of the files. ZoneAlarm takes care of it during the encryption.
As soon as the files are back in their original folders, there is a huge mess. These directories store both restored and encrypted files. We asked the company do add a quick removal options for all encrypted files, which would save us from making more mess on the hard drive.
We’re done. ZoneAlarm Anti-Ransomware finished doing the job. All the encrypted files have been brought back and saved intact in the folders they were stored in originally.
ZoneAlarm Anti-Ransomware brings Check Point’s experience
ZoneAlarm Anti-Ransomware is developed by Check Point, that’s why it employs Threat Emulation technology of Sandblast products. We have tested the said protection technology a couple of weeks ago (Check Point’s Sand Blast for Browser solution was the only one to block all the malware samples). Complete set of Threat Emulation technology solutions is available in advanced firewalls or as a SaaS service under the name Check Point Sandblast.
Malware authors can create some samples that easily bypass traditional signature products. Detection of threats based on virus definitions is an old technique for detecting known attacks. Currently, it serves more to support than to establish a core protection. In turn, the emulation of threats protects against new malicious encryption programs and this technology is used by ZoneAlarm Anti-Ransomware.
Testing ZoneAlarm Anti-Ransomware: Ransomware simulation using RanSim
RanSim is a ransomware simulator developed by KnowBe4 company, CEO of which is Kevin Mitnick, one of the legendary ex-hackers, now working on the legal side.
After the execution, RanSim simulates ransomware, but it makes no change nor damage to files stored on Windows PC, making it 100% safe in use. The tool performs 10 various tests emulating actual ransomware. You can download it here: https://www.knowbe4.com/ransomware-simulator
RanSim uses a range of techniques, including file overwrite, copying the files to new directory, file encryption and removal of the original ones – everything that imitates ransomware. We’re informed about the result within a couple of minutes.
RanSim suggests that ZoneAlarm did not protect us from ransomware because of failing all tests of simulated encryption techniques. Obviously, it’s not true – this is the effect of running RanSim. ZoneAlarm Anti-Ransomware detected unusual behavior of RanSim, thus it can bring the encrypted test files back.
Regardless of how weak the protection of the PC is, ZoneAlarm was made to protect the files that can fall victim to encryption by a commonly-known or an extremely new ransomware sample.
Ransomware in the wild (AVLab tests)
In order to conduct actual ransomware attacks, we used our Linux-based platform and virtual machines controlled by Vmware Workstation Pro. Using the API and appropriate tools, we can recreate the attack starting with downloading the sample via Chrome browser, observing the installed ZoneAlarm Anti-Ransomware and the virus, ending with the record of all log changes. We’ve automated the tests in order to obtain detailed results within a couple of days. Saved logs show the behavior of every tested virus as well as the reaction of tested software. All the necessary details of the analysis are always passed on to the vendor. Automation allows us to go through a pile of logged events in just a couple of seconds – we’ve gathered nearly 89 000 of them for 29 ransomware viruses. We adore logs. They help us in making our security tools better and allow us for catching all the irregularities. We’re happy to make our tiny contribution to the development of ZoneAlarm.
How do we know that the malware has encrypted the files?
One can see it by looking at the structure of the files and the folders in the observed folders. This log, for example, illustrates the change (encryption) of some of the desktop files:
How do we know that ZoneAlarm detected a threat?
These are the so-called triggers, meaning events registered in the OS and/or in software log changes. Others include transferring ransomware to quarantine folder and loading system registry key during the detected attack. For example:
C:ProgramDataCheckPointEndpoint SecurityRemediationQuarantine C:ProgramDataCheckPointEndpoint SecurityRemediationWorking C:Program Files (x86)CheckPointEndpoint SecurityRemediationQuarantineOperationsLib.dll
Where do we obtain the samples and how do we know they’re working?
The samples used in the tests come from honeypot attacks. These are traps that imitate a target and capture the malware. All of them emulate services such as SSH, HTTP, HTTPS, SMB, FTP, TFTP and actual Windows systems and mail servers. Before a sample is tested, it undergoes a thorough analysis. To perform the analysis, it’s run in the environment identical to the installed software which undergoes the tests. If the malware performs malicious actions such as file encryption or adding itself to the autostart, we’re certain that the sample is “correct”, so it joins our test collection. Ransomware samples used in the test had the following checksum:
e4a23f1799dd759964c4209a82c185a2d68fdcaeb589f93cf4c63d55ef345fc8 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749 3220e0fa7f9bcf721b260adbaaaf2b85a89a281068a34db92d11d78196bd994b 0c8c5f08a6c584aaa9d1d329f8cd93d30112a5e124ca778665295672fa9575fd 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98 2516f8d13c5dcbcfa8641f6cda38273612a1e01376f55bc8c6ee5e4f901c589d bac70a9712a9260eb4f42e377db9276fae92ee82a71b1c9cc754fa5b60407e06 86fc216137adc0099a89c0c41d0cf713ee7ea62973cbc54060167db6b606373e 6d8d832eaabb5fe5c44dd3e4fa9f42dfd359b026b9c87119f3385b1ce38448e1 421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de a45bd4059d804b586397f43ee95232378d519c6b8978d334e07f6047435fe926 adad8b68c55b43fb2344c3051a28514b9ee25c9664dc7b35f36477c923664519 32196b1fc03de37a7e8b23209be3792b779d2d2cd1c17049b7f9bec576e1919f d5fe31471af8abcd884108fbbfe776c3df6c988a865e401fc83ccbdfe030ed4e a592bb700028529e0fe828be1a7cf5c1726cb7fe08a4d2c92fcea89cbcf0902a 9e9da861c2a1e0871342125e9a6748d1d4ee46279368cac0da016ceb6867394a 7701170304fdd48b184aac032391ae3a1f880be6160812d0089049834b3ec828 b1f13a9ef3da3c9bd2cfd0fcfd7368b48346a6995a91dd0edca12557773a7763 9f330017ea86107bc84bd00a5222f10875c2672d78c00504913c8f9528cad731 70522f5e5572eea521f228e097146d0e862b98637dca7f24be487cad7cc0ca73 5d28b7648fbd8cc3d37843a42fb6a12639356eaf0570d647637af9c9915a79f3 4748eb93e8bf41f68800bca52f31b31e8f67f186ff9d2f7e7ab01b5a9f298059 25a44f4b2e6bc516be015feef7bb7e61a2b5e79ccbe5b09efa2b8be420a36202 b5526dfb37d454b4f8e65f9e826b1fa43aff4b6115aa340501f07fed8f5c23d9 675c2f7c9cda48f13011b23970de9109028b6ade213f3de7692f5f68742aa339 b94c56db533c5ef2485959d51c8a789f307501c74f1754ad7d85f84dc19b94f3 a26a6faf337f1ff5243bb675c92cb166ed5a2c5c8ee4a898d1a95a85b7f3d56d f6c3a6ed241e86647c3532bf92594fc3828d0c1be2f50fa97f668d31318eabaf
During the test (which was conducted from 19th to 31st of December) verifying the anti-ransomware protection, we tested ZoneAlarm Anti-Ransomware with 28 samples captured in their natural habitat (in the wild). One of these was quite interesting.
Sample of the control sum c4471377f58643e454ef33f21dc65f696567bf8700ae120caac5086f85bfeace is an interesting case of a directed ransomware POC which aims to encrypt only specified catalogues, avoid honeypots and close all running software, which was a major obstacle in manual analysis and disinfection (it was impossible to download the scanner and perform the system scan, unless it was done in safe mode or from the level of rescue CD).
Detailed information about the sample, which were passed on to the manufacturer, helped them to protect the users from screen blocking. Currently, these are extremely rare cases. Maybe this is why there is no function blocking this behaviour.
The issue with Virlock sample was reported on 19th of December, and has been investigated by Check Point quite promptly. The technical details allowed the company to tweak the ZoneAlarm Anti-Ransomware software, which now is up-to-date. Additionally, the latest version of the tested product protects us from the desktop blocking threats.
ZoneAlarm Anti-Ransomware is a software that does not download the definitions of the viruses because it does not need them. It doesn’t protect the files from encryption like traditional antivirus tools do. Instead, it employs the leading technology Threat Emulation which permanently works real-time, monitoring and shielding computer from any symptoms of ransomware attack. Advanced behavioral analysis is capable of immediate detection of encryption attack and files’ restoration.
ZoneAlarm Anti-Ransomware is a very good anti-ransomware tool. It can be installed on both personal and business computers. This is why we issue AVLab recommendation, with one reservation. The programme protects the computer exclusively from encryption attacks, that’s why it should be used along with another tool for Windows system protection.
In a full security package ZoneAlarm Extreme Security there is even more necessary components which can detect contemporary zero-day threats and attacks. Complete list of ZoneAlarm products is available on https://www.zonealarm.com.