UNVEIL at USENIX Security 2016

Large-scale ransomware detection

Amin will be presenting his latest work on fighting ransomware at USENIX Security this summer. The system he’ll be talking about is called UNVEIL, which enhances dynamic sandboxes to accurately recognize ransomware-like behavior.

Ransomware Returns

Ransomware has emerged as a major threat in the past couple of years, where the central idea is to maliciously prevent a victim from accessing their data until a ransom is paid. Though ransomware has been around since at least the early 1990s, it has experienced a resurgence in popularity of late in the form of malware families such as Cryptowall and Cryptolocker that make use of cryptographic mechanisms to deny user access to data. While standard best practices like taking regular backups could in principle protect users against exposure to ransomware, advanced variants could also potentially attack online backup systems. And, ransomware isn’t just about data; if you’re a police department or a hospital and your systems are locked because of ransomware, loss of data might not be your most pressing concern.

Ideally, we would be able to detect and block ransomware on endpoints. However, even automated identification of ransomware behavior during dynamic analysis is not straightforward. UNVEIL provides this capability using two sets of techniques for cryptographic and desktop locker ransomware.

Finding Cryptographic Ransomware

Prior to executing a sample in a dynamic analysis sandbox, UNVEIL first randomly generates a realistic user environment by generating a set of documents and adding them to the sandbox file system. The motivation behind this step is two-fold. First, we want to disguise the fact that the sample is executing in a dynamic sandbox. Second, populating the file system provides the potential ransomware sample with a target-rich environment. Thus, the generated user environment aims to elicit ransomware behavior.

Then, during execution UNVEIL interposes on all I/O requests using a kernel-based monitor. This monitor extracts features from each request such as the type of request (e.g., open, read, write) as well as the entropy of the data buffer if present. These events are then matched against a set of I/O access pattern signatures that have been manually compiled from analyzing labeled ransomware samples. Matches against these signatures are considered evidence that the sample is in fact ransomware.

Finding Desktop Lockers

The I/O access pattern technique described above is useful for cryptographic ransomware. However, desktop locking ransomware uses a substantially different mechanism that – as the name implies – relies on preventing the victim from accessing the system desktop. To address this class of ransomware, UNVEIL instead attempts to detect the presence of a ransom note. This technique is quite reliable since displaying a ransom note is something of a behavioral invariant for ransomware; that is, a victim must be notified that their data is inaccessible and a ransom must be paid for the attack to succeed.

To accomplish this, UNVEIL identifies major visual changes to the desktop between the start and end of execution. If such a change is detected, UNVEIL then performs OCR on the ending screenshot and checks for extracted words that are indicative of ransom notes.

Unveiling Ransomware

The combination of these two approaches turns out to work quite well. In fact, in addition to accurately identifying a ground truth data set of ransomware samples, UNVEIL was able to discover a previously unknown family of malware we call SilentCrypt. Interestingly, it seems that this family explicitly checks for the lack of a realistic user environment to evade analysis.

We hope that UNVEIL’s approach will help to more scalably label ransomware by taking advantage of ransomware behavioral characteristics. Even better would be to extend the approach to defend against ransomware at exploitation time, something we’re actively investigating in our lab.