Genç, Ziya Alper, Fonds National de la Recherche - FnR [sponsor], Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Other [research center], Lenzini, Gabriele [superviser], Ryan, Peter Y A [president of the jury], Mauw, Sjouke [member of the jury], Lanet, Jean-Louis [member of the jury], and Stringhini, Gianluca [member of the jury]
Cryptographic ransomware encrypts files on a computer system, thereby blocks access to victim’s data, until a ransom is paid. The quick return in revenue together with the practical difficulties in accurately tracking cryptocurrencies used by victims to perform the ransom payment, have made ransomware a preferred tool for cybercriminals. In addition, exploiting zero-day vulnerabilities found in Windows Operating Systems (OSs), the most widely used OS on desktop computers, has enabled ransomware to extend its threat and have detrimental effects at world-wide level. For instance, WannaCry and NotPetya have affected almost all countries, impacted organizations, and the latter alone caused damage which costs more than $10 billion. In this thesis, we conduct a theoretical and experimental study on cryptographic ransomware. In the first part, we explore the anatomy of a ransomware, and in particular, analyze the key management strategies employed by notable families. We verify that for a long-term success, ransomware authors must acquire good random numbers to seed Key Derivation Functions (KDFs). The second part of this thesis analyzes the security of the current anti-ransomware approaches, both in academic literature and real-world systems, with the aim to anticipate how such future generations of ransomware will work, and in order to start planning on how to stop them. We argue that among them, there will be some which will try to defeat current anti-ransomware; thus, we can speculate over their working principles by studying the weak points in the strategies that six of the most advanced anti-ransomware currently implements. We support our speculations with experiments, proving at the same time that those weak points are in fact vulnerabilities and that the future ransomware that we have imagined can be effective. Next, we analyze existing decoy strategies and discuss how they are effective in countering current ransomware by defining a set of metrics to measure their robustness. To demonstrate how ransomware can identify existing deception-based detection strategies, we implement a proof-of-concept decoy-aware ransomware that successfully bypasses decoys by using a decision engine with few rules. We also discuss existing issues in decoy-based strategies and propose practical solutions to mitigate them. Finally, we look for vulnerabilities in antivirus (AV) programs which are the de facto security tool installed at computers against cryptographic ransomware. In our experiments with 29 consumer-level AVs, we discovered two critilcal vulnerabilities. The first one consists in simulating mouse events to control AVs, namely to send them mouse “clicks” to deactivate their protection. We prove that 14 out of 29 AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists in controlling whitelisted applications, such as Notepad, by sending them keyboard events (such as “copy-and-paste”) to perform malicious operations on behalf of the malware. We prove that the anti-ransomware protection feature of AVs can be bypassed if we use Notepad as a “puppet” to rewrite the content of protected files as a ransomware would do. Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks Cut-and-Mouse. In the third part of the thesis, we propose a strategy to mitigate cryptographic ransomware attacks. Based on our insights from the first part of the thesis, we present UShallNotPass which works by controlling access to secure randomness sources, i.e., Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) Appliction Programming Interfaces (APIs). We tested UShallNotPass against 524 real-world ransomware samples, and observe that UShallNotPass stops 94% of them, including WannaCry, Locky, CryptoLocker and CryptoWall. Remarkably, it also nullifies NotPetya, the offspring of the family which so far has eluded all defenses. Next, we present NoCry, which shares the same defense strategy but implements an improved architecture. We show that NoCry is more secure (with components that are not vulnerable to known attacks), more effective (with less false negatives in the class of ransomware addressed) and more efficient (with minimal false positive rate and negligible overhead). To confirm that the new architecture works as expected, we tested NoCry against a new set of 747 ransomware samples, of which, NoCry could stop 97.1%, bringing its security and technological readiness to a higher level. Finally, in the fourth part, we present the potential future of the cryptographic ransomware. We identify new possible ransomware targets inspired by the cybersecurity incidents occurred in real-world scenarios. In this respect, we described possible threats that ransomware may pose by targeting critical domains, such as the Internet of Things and the Socio-Technical systems, which will worrisomely amplify the effectiveness of ransomware attacks. Next, we looked into whether ransomware authors re-use the work of others, available at public platforms and repositories, and produce insecure code (which might enable to build decryptors). By methodically reverse-engineering malware executables, we have found that, out of 21 ransomware samples, 9 contain copy-paste code from public resources. From this fact, we recall critical cases of code disclosure in the recent history of ransomware and, reflect on the dual-use nature of this research by arguing that ransomware are components in cyber-weapons. We conclude by discussing the benefits and limits of using cyber-intelligence and counter-intelligence strategies that could be used against this threat.