Since the malvuln project started it is now approaching almost 600 vulnerable pieces of malware to date. Witnessing the endless ransomware attacks in the news and as I had no ransom trophy kills, I figured I would take a crack at it. At first, ransomware seemed like a big challenge. I am not aware of any sample that listen on any ports that can be abused and local elevation of privilege techniques mean nothing when things get encrypted immediately.
But Wait..
In steps DLL hijacking. DLL hijacking is a method of injecting malicious code into an application by exploiting the way some Microsoft Windows applications search and load Dynamic Link Libraries (DLLs). Only Microsoft operating systems are susceptible to DLL hijacking.
This coding flaw with DLL searching has plagued many pieces of legitimate software for years. If a program is run and side loads an arbitrary DLL it will execute that code in the parent process. Initial research has found this flaw to be a common mistake made by ransomware authors and we can leverage it to mitigate the attack.
Implementing A Kill Switch
Not all methodologies are the same, but implementing a kill switch is possible for all pieces of ransomware that suffer from this issue. The code for implementing a kill switch primarily uses Win32API calls GetCurrentDirectory, OpenProcess and TerminateProcess.
Time was spent analyzing the running ransomware in a virtual machine using the sysinternals "Process Monitor" utility and monitoring for the "NAME NOT FOUND" result. This is a simple indicator identifying the DLL being sought by the ransomware.
For example, "Conti Ransom" wants to load "netapi32.dll" when it spawns. We can craft a DLL to call GetCurrentDirectory to return the current directory. Next, we compare the return value from GetCurrentDirectory with the hardcoded string "C:\Windows\System32" using the standard "strcmp" string function.
If strcmp returns a non zero value, we know the malware is looking in its own directory and not the legit "System32" directory which is normally where "netapi32.dll" lives. Based off that condition, we make the decision to call the WIN32API OpenProcess() function to get a handle to our own process ID (PID) and terminate.
In cases like "BlackBasta.Ransom", where it looks for "wow64log.dll" in the "C:\Windows\System32" directory, we compile and copy "wow64log.dll" there and simply call exit(). Moreover, for the wow64log.dll DLL there was a need to export the "WINBASEAPI LONG WINAPI InterlockedExchange" function required by the DLL.
Defensive Leverage
DLLs written to diffuse the ransomware can be placed in directories where users commonly execute binaries, whether they be downloaded or attached to email. The existence of these files can mitigate many of the current ransomware strains circulating. DLLs used to mitigate attack can be set as hidden system files using Windows CL attrib +s +h command. It is expected the malware authors will start correcting these coding mistakes, but historic strains can be stopped.
In Summary
Many endpoint security defenses focus on hash signatures, indicators of compromise (IOCs), and complicated hooking. However, this simple method intercepts the ransomware and acts as a built-in kill switch terminating it pre-encryption. Endpoint protection systems and antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill - the DLL just lives on the disk waiting. All basic tests were conducted successfully in a virtual machine environment.
Who Can Be Stopped?
The following ransomware families are all susceptible at the time of this writing:
Conti [1], [2], [3]
REvil [1], [2]
BlackBasta
Lockbit
AvosLocker
LokiLocker
WannaCry
- Guest post from John Page / Malvuln.com
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed