Tuesday, April 2, 2013

Detect Generically Ransomware With Joe Sandbox 7.4.0

Malware which blocks your computer in order to demand a ransom has become extremely popular. Most of them are delivered via exploit kits. Recently even some of our friends and relatives got infected by these nasty programs. It turned out that often an old Java installation was the gateway for the infection. However, although a known up to date Anti Virus Solution was running, nothing got detected. Thus we thought it might be worth to research some techniques to generically detect ransomware.

If we let Joe Sandbox analyse a recent ransomware sample (MD5: 3e99fab7f175eb8bf283b1e883c714c9) we get the following report artifacts: 




As you see the malware injected code into the trusted processes explorer and svchost. Inside svchost it created an autostart key. If we check out the screenshots captured by Joe Sandbox we can see what has happened:


Due to the last screenshot it becomes suddenly clear that this is ransomware. In addition there are some additional artifacts in the report which describe how the malware creates the top level window to block access:




Windows contains functionality to handle virtual desktops which is abused by the malware. It creates a new virtual desktop called "MyDesktop". Later it switches to the new desktop and creates an overlay window to lure the victim to pay a ransom. As Windows does not offer any default hot-key to switch back to the original desktop, operating the computer becomes tedious. Thus the new desktop is an excellent scheme to block operation.

To detect ransomware one may think of detecting code that creates / switches to desktops. However, this may lead to false positives, since all virtual desktop tools (e.g. VirtuaWin) use these APIs. A much more elegant and generic approach would be to detect key aspects such as display text (e.g. block, copyright, violation etc.) of the window shown to the victim.

One way to do that would be to enumerate all windows, control fields and dialogs and query their display text. However, this may be easily prevented by  malware using custom controls or GUI frameworks such as QT. A much better approach is using OCR (optical character recognition). We used that idea to develop a cool signature:

Afterwards we wrote a simple but powerful signature to detect relevant keywords within OCR output:


The statistical analysis showed that in most cases ransomware uses Ukash and PaySafeCard for handling the payment. Thus we used these word for detection. In order to deal with the problems of imprecise OCR output we set a threshold of 80% for word matching based on the Levenshtein distance.

Finally we tested the signature:


In order to detect ransomware we created the following logical formula:

If "creates an autostart key" and "creates a new desktop" and  "shows paysafecard and ukash on the screen" => ransomware

OCR output will be present in all Joe Sandbox 7.4.0 reports. Complete Joe Sandbox Report can be found here: Joe Sandbox Analysis Report