Ph.D. Thesis Proposal Techniques and Solutions for Addressing Ransomware Attacks Amin Kharraz College of Computer and Information Science Northeastern University Ph.D. Committee Engin Kirda Advisor, Northeastern University William Robertson Advisor, Northeastern University Manuel Egele External Member, Boston University Long Lu Northeastern University – Stony Brook University July 2017 Abstract Ransomware is a form of extortion-based attack that locks the victim’s digital resources and requests money to release them. Although the concept of ransomware is not new (i.e., such attacks date back at least as far as the 1980s), this type of malware has recently experienced a resurgence in popularity. In fact, over the last few years, a number of high-profile ransomware attacks were reported. Very recently, WannaCry ransomware infected thousands of vulnerable machines around the world, and substantially disrupted critical services such as British healthcare system. Given the size and variety of threats we are facing today, having solutions to effectively detect and analyze unknown ransomware attacks seems necessary. In this thesis, we argue that it is possible to extend existing defense mechanisms, and protect user data from a large number of ransomware attacks with zero data loss. To support this claim, in the first part of the thesis, we perform an evolutionary-based analysis to understand the destructive behavior of ransomware attacks. We show that by monitoring the interaction of malicious processes with the operating system, it is possible to design practical defense mechanisms that could stop even very successful cryptographic ransomware attacks. In the second part, we propose a novel dynamic analysis system, called Unveil, that is designed to analyze ransomware attacks, and model their interactions. In the third and the last part, we propose an end-point framework, called Redemption, to protect user data from ransomware attacks. We present an operating system-independent design, and also provide implementation details which show that such lightweight solutions could be integrated into existing operating systems while achieving zero data loss in a large number of successful ransomware attacks. Contents 1 Introduction 1 1.1 Focus of this Work . 2 1.2 Related Work . 3 2 An Analysis on Current Ransomware Attacks 4 2.1 Ransomware Dataset . 4 2.2 Developing the Monitoring Tool . 5 2.3 Characterization and Evolution . 6 3 A Dynamic Analysis Approach to Detecting Ransomware 6 3.1 System Design . 7 3.2 Analysis and Findings . 10 3.3 Detecting Zero-Day Ransomware . 12 4 Protecting End-Points from Ransomware Attacks 14 4.1 System Design . 15 4.2 Dataset . 16 4.3 Analysis on Labeled Data . 16 5 Future Work and Timeline 18 5.1 Evaluating the Redemption Prototype . 18 5.2 Timeline . 18 II 1 Introduction Malware attacks continue to remain one of the most popular attack vectors in the wild [60, 47]. Among all classes of malware, ransomware has recently become very popular among malware au- thors [9, 16, 20, 26]. Ransomware is a kind of scareware that locks the victims’ computers until they make a payment to re-gain access to their data. In fact, this class of malware is not a new concept (such attacks have been in the wild since the last decade), but the growing number of high- profile ransomware attacks has resulted in increasing concerns on how to defend against this class of malware. In 2016, several public and private sectors, including the healthcare industry, were impacted by ransomware [13, 10, 66]. Lately, US officials have also expressed their concerns about ran- somware [23, 30], and even asked the U.S. government to focus on fighting ransomware under the Cybersecurity National Action Plan [30]. Very recently, WannaCry ransomware, the most re- cent successful ransomware attack, impacted thousands of users around the world by exploiting the EternalBlue vulnerability, encrypting user data, and demanding bitcoin payments in exchange for unlocking files [48]. In response to the increasing number of ransomware attacks, users are often advised to create backups of their critical data. Certainly, having a reliable data backup policy minimizes the potential costs of being infected with ransomware, and is an important part of the IT management process. However, the growing number of paying victims [11, 51, 24] suggests that technically unsophisticated users – who are the main target of these attacks – do not follow these recommendations, and easily become a paying victim of ransomware. Hence, ransomware authors continue to create new attacks and evolve their creations as evidenced by the emergence of more sophisticated ransomware every day [62, 8, 60, 53]. Unfortunately, many of the recent security reports about ransomware [19, 31, 32, 60, 61, 47] mainly focus on the advancements in ransomware attacks and their levels of sophistication, rather than providing some insights about effective defense techniques that should be adopted against this threat. Furthermore, the current defense mechanisms to detect, analyze, and defend against ransomware are not very different from the ones that are used to detect other types of evasive malware. Perhaps, the main assumption here is that this class of malware employs all possible evasion techniques, similar to other classes of malware, to bypass detection tools, reach end-users, and successfully launch attacks. While we agree that this is a valid assumption, we claim that these mechanisms cannot lead to the best defense mechanisms against ransomware, as evidenced by the increasing number of very successful ransomware attacks in the wild. 1 1.1 Focus of this Work In this thesis, we investigate the feasibility of developing solutions to detect and analyze ransomware attacks. In fact, the thesis of this dissertation is that, unlike other malware, the nature of ransomware attacks is not very broad, and protecting against a large number of ransomware attacks is possible. We argue that ransomware attacks follow very similar patterns in order to be successful and force victims to pay the ransom fee. For example, unlike other classes of malware that aims to be stealthy to collect banking credentials or keystrokes without raising suspicion, ransomware notifies victims that they are infected. Moreover, a successful ransomware usually needs to prevent user’s access to his own data by performing encryption and/or deletion operations, and repeating these destructive actions during an attack. This thesis aims to show that if we use these insights in the defense side, and accurately model these behaviors, we can reliably detect a significant number of ransomware attacks in the wild. In the first part of this thesis, we perform an evolutionary-based analysis on ransomware attacks to understand the main characteristics of these attacks. This work is motivated by our need to study the core functionalities of these attacks from a filesystem perspective. To this end, we created a dataset of ransomware samples that covers the majority of the existing ransomware families which have been observed in the wild. We design and implement a kernel level module to closely monitor the interaction of user mode processes with the filesystem. Our analysis shows that different classes of ransomware attacks with multiple levels of sophistication share very similar characteristics from a filesystem perspective due to the nature of these attacks. In the second part of this thesis, we present a novel dynamic analysis system, called Unveil, that is designed to analyze ransomware attacks and model their behaviors. In our approach, the system automatically creates an artificial, realistic execution environment and monitors how ransomware interacts with that environment. We evaluate Unveil using more than 148,000 distinct samples belonging to different malware families. The evaluation of Unveil shows that our approach was able to correctly detect 13,637 ransomware samples from multiple ransomware families in a real- world data feed with zero false positives. Our analysis shows that Unveil can significantly enhance the current anti-malware solutions with regard to ransomware. In the third part of the thesis, we investigate the possibility of protecting user data from ran- somware attacks at end-hosts with zero data loss. To this end, we propose a general framework, called Redemption, to augment the operating system with ransomware protection capabilities. Re- demption does not require performing any significant changes in the semantics of the underlying filesystem functionality, or modifying the architecture of the operating systems. 2 1.2 Related Work Malware attacks are important problems. They have been extensively investigated in security re- search over the last couple of years. For example, a number of approaches have been proposed to describe program behavior from analyzing byte patterns [42, 59, 57, 67] to transparently running programs in malware analysis systems [6, 36, 35, 63]. Early steps to analyze and capture the main intent of a program focused on analysis of control flow. Kruegel et al. [40] and Bruschi et al. [14] showed that by modeling programs based on their instruction-level control flow, it is possible to bypass some forms of obfuscation. Similarly, Christodorescu et al. [18] used instruction-level control flow to design obfuscation-resilient detection systems. Later work focused on analyzing and detect- ing malware using higher-level semantic characterizations of their runtime behavior derived from sequences of system call invocations and OS resource accesses [37, 38, 17, 46, 58, 68]. In order to analyze the malicious behavior of malware samples, dynamic analysis tools have be- come popular over the last few years. Most of these techniques depend on extracting system calls or Windows API call traces using sandboxing techniques. For example, CWSandbox [65] and Norman Sandbox [5] trace API calls, while Anubis [12] and Panorama [68] are examples of emulation-based malware analysis systems that can perform data-flow analysis. More recently, BareCloud [36] has been proposed which is a bare-metal analysis system to detect evasive malware samples.