The new generation of ransomware - An in depth study of Ransomware-as-a-Service No¨elKeijzer June 25, 2020 1 Abstract Ransomware is a problem that is becoming more prevalent as companies start to rely more on IT infrastructure. Ransomware causes major damages to compa- nies and has recently emerged in a new form, Ransomware-as-a-Service (RaaS). RaaS is a service provided by ransomware authors which allows cyber-criminals to rent ransomware for a fee. RaaS allows cyber-criminals without the skills to write their own ransomware to deploy a "rented" version. A RaaS strain, REvil, is compared to a regular ransomware strain, WannaCry. Differences and common properties are discovered among these strains and are evaluated using existing works on other RaaS and regular ransomware strains. From these characteristics it follows that RaaS is at least as advanced if not more advanced than the most sophisticated regular ransomware. Several possible mitigation techniques are proposed to reduce the impact of RaaS, classify it during or after infection and recover files from an encrypted system. Finally, it is shown how these differences and common properties can aid in a criminal investigation. REvil is also compared to an older RaaS strain, GandCrab. Differences and common properties are found for these two strains and evaluated using analyses of other RaaS strains. From these differences and common properties several trends in RaaS development are identified. RaaS is moving towards using more advanced encryption techniques and making the ransomware more configurable. Finally RaaS has moved towards a model that is able to encrypt systems inde- pendent from Command & Control servers. 2 Preface Writing this report has been a fun and interesting journey. Starting off not knowing anything about reverse engineering, it was also quite the learning ex- perience. I would like to thank my future colleagues at Northwave for all their support and guidance during this process. I would like to thank Erik and Anna for being my supervisors. Furthermore, I would like to thank Martijn for his advice and the daily supervision during my thesis. Without his help this thesis would never have turned out the way it did. I would like to thank all the friends I made during my studies for the fun times, you know who you are! Finally, I would like to thank my family for supporting me all the way through my studies. 3 Contents 1 Introduction 8 1.1 Contribution . .8 1.2 Report structure . .9 2 Research questions 10 3 Background 11 3.1 Ransomware . 11 3.2 Ransomware-as-a-Service . 12 3.3 Cryptography . 12 3.4 Privilege Escalation and Anti-virus evasion . 12 3.5 Social engineering . 13 3.6 Exploit kits . 14 3.7 Remote access services . 15 3.8 Packers . 15 3.9 Anti-RE techniques . 15 3.10 Intrusion detection systems . 16 4 Methodology 17 4.1 RQ 1: What is the current state of Ransomware-as-a-Service, what measures can be taken to reduce the impact of Ransomware- as-a-Service and what is the direction of development in Ransomware- as-a-Service? . 17 4.2 RQ 1.1: What are the differences and common properties of Ransomware-as-a-Service ransomware compared to regular ran- somware? . 17 4.3 RQ 1.2: How can the characteristics of Ransomware-as-a-Service be used to reduce the impact of Ransomware-as-a-Service? . 19 4.4 RQ 1.2.1: Can these characteristics be used to detect Ransomware- as-a-Service ransomware in the early stages of its execution? . 19 4.5 RQ 1.2.2: Can these characteristics be used to classify a Ransomware- as-a-Service ransomware during/after infection? . 20 4.6 RQ 1.2.3: Can these characteristics be used to recover files from an encrypted system? . 20 4.7 RQ 1.2.4: Can these characteristics be used to aid in criminal investigations? . 21 4.8 RQ 1.3: What are the differences and common properties of REvil compared to GandCrab? . 21 4.9 RQ 1.4: Can these differences be used to find trends in current Ransomware-as-a-Service development? . 21 5 REvil analysis 23 5.1 Packing method . 23 5.2 Anti-reverse engineering techniques . 25 4 5.2.1 Dynamic imports . 25 5.2.2 Encrypted strings . 27 5.3 Imports . 29 5.4 Mutexes . 29 5.5 Registry keys . 29 5.6 API Functions . 31 5.7 Privilege escalation methods . 32 5.8 Configuration options . 33 5.9 Encryption method . 35 5.10 Encryption key management . 37 5.11 Command & Control communication fields . 39 5.12 Network traffic . 41 5.13 Anti-virus evasion methods . 43 5.14 Persistence mechanisms . 43 5.15 Spreading mechanisms . 43 5.16 Process white/blacklist . 44 5.17 Folder white/blacklist used for encryption . 44 5.18 Execution flowchart . 45 5.19 MITRE ATT&CK matrix . 46 6 WannaCry analysis 47 6.1 Packing method . 47 6.2 Anti-reverse engineering techniques . 47 6.3 Imports . 47 6.4 Mutexes . 48 6.5 Registry keys . 48 6.6 API Functions . 48 6.7 Privilege escalation methods . 49 6.8 Configuration options . 49 6.9 Encryption method . 50 6.10 Encryption key management . 50 6.11 Command & Control communication fields . 50 6.12 Network traffic . 50 6.13 Anti-virus evasion methods . 51 6.14 Persistence mechanisms . 51 6.15 Spreading mechanisms . 51 6.16 Process white/blacklist . 51 6.17 Folder white/blacklist used for encryption . 51 6.18 Execution flowchart . 53 6.19 MITRE ATT&CK matrix . 53 7 GandCrab analysis 55 7.1 Packing method . 55 7.2 Anti-reverse engineering techniques . 56 7.3 Imports . 57 7.4 Mutexes . 57 5 7.5 Registry keys . 57 7.6 API Functions . 58 7.7 Privilege escalation methods . 59 7.8 Configuration options . 59 7.9 Encryption method . 59 7.10 Encryption key management . 59 7.11 Command & Control communication fields . 60 7.12 Network traffic . 61 7.13 Anti-virus evasion methods . 61 7.14 Persistence mechanisms . 61 7.15 Spreading mechanisms . 61 7.16 Process white/blacklist . 61 7.17 Folder white/blacklist used for encryption . 62 7.18 Execution flowchart . 63 7.19 MITRE ATT&CK matrix . 65 8 Other analyses 66 8.1 Packing method . 66 8.2 Anti-reverse engineering techniques . 66 8.3 Imports . 67 8.4 Mutexes . 68 8.5 Registry keys . 68 8.6 API Functions . 69 8.7 Privilege escalation methods . 69 8.8 Configuration options . 70 8.9 Encryption method . 70 8.10 Encryption key management . 71 8.11 Command & Control communication fields . 72 8.12 Network traffic . 73 8.13 Anti-virus evasion methods . 74 8.14 Persistence mechanisms . 74 8.15 Spreading mechanisms . 74 8.16 Process white/blacklist . 74 8.17 Folder white/blacklist . 75 8.17.1 Spora ransoware . 75 8.17.2 Phobos ransomware . 76 8.17.3 Maze Ransomware . 76 8.17.4 Lockbit ransomware . 77 8.17.5 Nemty ransomware . 78 8.17.6 Buran ransomware . 78 9 Discussion 80 9.1 Packing method . 80 9.2 Anti-reverse engineering techniques . 81 9.3 Imports . 82 9.4 Mutexes . 84 6 9.5 Registry keys . 85 9.6 API Functions . ..