Monitorización, detección y bloqueo de procesos de cifrado malicioso

Abstract

This project wants to give a solution to Ransomware, a problem that in 2016 is affecting the biggest amount of users in malware's world. Ransomware is a kind of malware characterized by asking a ransom payment after infecting a device. Firstly they just block the device showing a full screen message until receiving the payment but, in a while, they started using file encryption. Once the files have been encrypted, it is virtually impossible to decipher them without the decryption key. That leaves only the possibility of ransom to recover lost files. During the investigation about ransomware, we found that the vast majority of them used fixed extensions and patterns to rename encrypted files. Somehow, we could use this feature to identify the encryption process in its initial state and kill it. RaMON is a reactive tool that doesn't require installation and designed to consume very little resources. These characteristics make possible to work together with an antivirus as a light and transparent application. We must remember that RaMON has been designed to fight against a very specific type of malware. For this reason, it should be viewed as an additional security layer and in no way a replacing for an antivirus. RaMON has a blacklist with extensions we consider as IOC (Indicator of Compromise). When one of this extensions is detected, a malicious encryption process is taking place. From them, the functionality of the tool follows these steps: - Monitoring File System for detecting creation/rename of new executable files (.exe) - Monitoring creation/rename files with dangerous extensions. - Matching the “Last created EXE’s” list with current process list, in order to find encryption process. - Once found, matches the “Last created EXE’s” list with current process list, in order to find encryption process. After that, it sends a kill signal to it, his sons and threads. - In parallel, disables network interfaces to avoid expansion of the infection. - Sends a shutdown informing the user about the infection. We make this in order to avoid to keep modifying the system, just in case of an eventual forensic analysis. As a last line of defense tool, its performance will only take place if the ransomware has bypassed all other security layers (UAC, execution prevention, antivirus, firewall, etc.). We should note that the computer world in general, and malware in particular, improves at high speed and what is effective today, probably tomorrow will not. The same sources of information serve the blackhat and the whitehat hackers, fueling the fast evolution in the world of security. Most of time we are thinking about improving security applications but sometimes we forget to work hardly in user education, that is always the weakest link in the infection chain.