Since the malvuln project started it is now approaching almost 600 vulnerable pieces of malware to date. Witnessing the endless ransomware attacks in the news and as I had no ransom trophy kills, I figured I would take a crack at it. At first, ransomware seemed like a big challenge. I am not aware of any sample that listen on any ports that can be abused and local elevation of privilege techniques mean nothing when things get encrypted immediately.
But Wait..
In steps DLL hijacking. DLL hijacking is a method of injecting
malicious code into an application by exploiting the way some
Microsoft Windows applications search and load Dynamic Link
Libraries (DLLs). Only Microsoft operating systems are susceptible
to DLL hijacking.
This coding flaw with DLL searching has plagued many pieces of
legitimate software for years. If a program is run and side
loads an arbitrary DLL it will execute that code in the parent
process. Initial research has found this flaw to be a common
mistake made by ransomware authors and we can leverage it to
mitigate the attack.
Implementing A Kill Switch
Not all methodologies are the same, but implementing a kill switch
is possible for all pieces of ransomware that suffer from this
issue. The code for implementing a kill switch primarily uses
Win32API calls GetCurrentDirectory, OpenProcess and
TerminateProcess.
Time was spent analyzing the running ransomware in a virtual
machine using the sysinternals "Process Monitor" utility and
monitoring for the "NAME NOT FOUND" result. This is a simple
indicator identifying the DLL being sought by the ransomware.
For example, "Conti Ransom" wants to load "netapi32.dll" when it
spawns. We can craft a DLL to call GetCurrentDirectory to return
the current directory. Next, we compare the return value from
GetCurrentDirectory with the hardcoded string "C:\Windows\System32"
using the standard "strcmp" string function.
If strcmp returns a non zero value, we know the malware is looking in its own directory and not the legit "System32" directory which is normally where "netapi32.dll" lives. Based off that condition, we make the decision to call the WIN32API OpenProcess() function to get a handle to our own process ID (PID) and terminate.
In cases like "BlackBasta.Ransom", where it looks for "wow64log.dll" in the "C:\Windows\System32" directory, we compile and copy "wow64log.dll" there and simply call exit(). Moreover, for the wow64log.dll DLL there was a need to export the "WINBASEAPI LONG WINAPI InterlockedExchange" function required by the DLL.
Defensive Leverage
DLLs written to diffuse the ransomware can be placed in directories where users commonly execute binaries, whether they be downloaded or attached to email. The existence of these files can mitigate many of the current ransomware strains circulating. DLLs used to mitigate attack can be set as hidden system files using Windows CL attrib +s +h command. It is expected the malware authors will start correcting these coding mistakes, but historic strains can be stopped.
In Summary
Many endpoint security defenses focus on hash signatures, indicators of compromise (IOCs), and complicated hooking. However, this simple method intercepts the ransomware and acts as a built-in kill switch terminating it pre-encryption. Endpoint protection systems and antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill - the DLL just lives on the disk waiting. All basic tests were conducted successfully in a virtual machine environment.
Who Can Be Stopped?
The following ransomware families are all susceptible at the time of this writing:
Conti [1], [2], [3]
REvil [1], [2]
BlackBasta[1]
Lockbit[2]
AvosLocker[3]
LokiLocker[4]
WannaCry[5]
- Guest post from John Page / Malvuln.com[6]
Read more https://packetstormsecurity.com/news/view/33399/Ridiculous-Ransomware-Kill-Switch.html