# POCKET-SIZED # BADNESS ##### Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game ###### Federico 'phretor' Maggi Stefano 'raistlin' Zanero ----- ##### $ whoami ###### ● Forward-Looking Threat (FTR) researcher @ Trend Micro ○ Research on upcoming/future threats and risks ○ Cybercrime investigation ● Interested in too many things ● Formerly Assistant Professor @ POLIMI ○ ~50 papers published ○ ~25 invited talks & lectures ○ ~100 students supervised ● PC/board member of various conferences/workshops ###### ○ ACSAC (first week of December, Hollywood) ○ AsiaCCS ○ DIMVA ○ OWASP AppSecEU E S ----- ##### AGENDA ###### ● Quick retrospective on ransomware ● The humble beginning of mobile ransomware ● Case studies of mobile ransomware ● Typical technical features of mobile ransomware ○ And how to automatically detect them ● Tool! ○ How it works ■ Does it work? ○ How to get it! ● Conclusions: An economics perspective on ransomware ----- ### FROM CRYPTOVIROLOGY TO MOBILE RANSOMWARE ----- ----- ----- ##### 1996 → 2012 ###### ?!@#$ ? ###### - 50+ distinct families (190+ if we count the variants) - state of the art encryption ----- ### THE "LITTLE" WORLD OF MOBILE RANSOMWARE ----- ##### MOBILE TARGETS ###### 15x increase (Apr '15–Apr '16) 10–25% of all malware in certain areas (e.g., Australia, Singapore) ###### 2014 2015 2016 |DirtyDecrypt CryptoDefense Filecoder CBTLocker TorrentLocker CoinVault|Col2| |---|---| ###### Simplocker (May '14) Koler (May '14) TkLocker (Jun '14) Pletora (Jun '14) Svpeng/Scarepackage (Jun-Oct '14) |2015|2016|2016|Col4|Col5| |---|---|---|---|---| |Cryptvault DMALock Tox|Jigsaw Radamant Hydracrypt Cerber Fusob (Jan'15- Small (Mid '14- Lockscreen (Se|Jigsaw Radama Hydracr Cerbe|nt ypt r|| |||Fusob (Jan'15- Small (Mid '14- Lockscreen (Se||Apr' 16) Apr' 16) p '16)| ###### New Simplocker (Jan '15) New PornDroid (May' 15) ----- ### CASE STUDIES OF MOBILE RANSOMWARE ----- ##### SLocker (a.k.a. Simplocker, or Simple Locker) **DEVICE** **LOCKING** ----- **DEVICE** ##### SCREEN LOCKING: BASIC TECHNIQUE **LOCKING** ----- ##### Koler: POLICE-THEMED RANSOMWARE **THREATENING** **TEXT** ----- ----- **THREATENING** **TEXT** ----- ##### Svpeng: Real encryption **DATA** **ENCRYPTION** ###### ● A good summary of all mobile ransomware techniques ----- **DATA** **ENCRYPTION** ----- **ADMIN API** ##### Device Admin API Abuse (in the manifest) **ABUSE** ----- ##### Lockdroid.E & Google's Prompt Patch in Nougat **ADMIN API** **ABUSE** ###### ● Newest family: Sep 2016 ● Uses ○ resetPassword(pseudo-random passcode) ○ lockNow() ● In Nougat, resetPassword() is "one use" ○ If password is set already ■ resetPassword() can't be called ● No backward compatibility ● No (benign) apps can automatically change/reset the password ○ User interaction will always be required ----- #### DETECTION TECHNIQUES ----- ##### Analysis & Detection Approach ----- ###### THREATENING TEXT **DEVICE** **DATA** **LOCKING** **ENCRYPTION** **ADMIN API** **ABUSE** ----- ##### Threatening Text: Details **THREATENING** **TEXT** ###### ● must be clear, understandable and convincing ● coercion techniques ○ refer to law codes ○ various accusations ■ copyright violation ■ illegal content found ■ prohibited sites visited ● detailed payment instructions ----- ##### Threatening Text: Payment Instructions THREATENING **THREATENING** **TEXT** ----- ##### → NLP + ML pipeline **THREATENING** **TEXT** |C&C|Col2|Col3| |---|---|---| |||| ----- ##### Natural Language Processing Pipeline → ML **THREATENING** **TEXT** ###### 1. Language detection ○ frequency-based analysis (e.g., English, French) 2. Segmentation = Split into sentences ###### ○ "This device has been locked for safety reasons" ○ "All actions performed are fixed" 3. Stop-words removal ○ "This device has been locked for safety reasons" ○ "All actions performed are fixed" 4. Stemming ○ "device locked safety reasons" ○ "actions performed fixed" 5. Stem vector ###### 1 0 0 1 1 0 0 1 0 1 0 1 1 0 0 0 ... ----- ##### Machine Learning Classification: Training Set THREATENING **TEXT** ###### T ----- ##### Training Set Labelling THREATENING **TEXT** ###### T law ----- ##### Scoring new text: x = {c, c, ..., c } THREATENING ###### 1 2 n ###### T law ----- ##### Scoring and Decision THREATENING **TEXT** ###### decision thresholds: minimum to detect known ransomware if (best score in "money") likely ransomware if (best score in "accusation" or "law" & ~"money") likely scareware ----- **DATA** ###### DEVICE ENCRYPTION LOCKING **ADMIN API** **ABUSE** ----- **DEVICE** ##### Device Locking **LOCKING** ###### ○ Upcoming fix in Android N (yay!) ----- ##### Hijack onKeyUp()/onKeyDown() **DEVICE** **LOCKING** ###### ● Search code for all android.app.Activity (subclasses) ○ that declare onKeyUp/onKeyDown ● Custom Smali simulator ○ "Execute" all statements ○ Within the scope of onKeyUp/onKeyDown methods ○ Follow function calls ----- **DEVICE** **LOCKING** ###### (subclasses) ----- **THREATENING** **DEVICE** **DATA** **TEXT** **LOCKING** **ENCRYPTION** **ADMIN API** ###### ABUSE ----- **ADMIN API** ##### Device Admin API Abuse |Device Admin API Abuse|Col2|ADMIN API| |---|---|---| |||ABUSE| |||| ----- **ADMIN API** ##### Looking at the Code **ABUSE** ----- ##### Manifest → Receiver → CFG → Reachability **ADMIN API** **ABUSE** ###### ● Start from the Receiver found in the manifest ● Obtain app's CFG (via FlowDroid) ○ soot.jimple.infoflow.cfg.SharedCfg.waitForCfg() ● Calculate all entry points (via FlowDroid) ● Visit CFG breadth first to find calls to lockNow() & friends ● If nothing is found, "resolve" reflective calls ○ ...at least, we try to… ○ We "connect" CFG nodes by materializing calls to java.lang.reflect.Method.invoke(method) ----- ##### Dealing with Obfuscated Method Names **ADMIN API** **ABUSE** ###### "koOpqUTbcVRhwomXlASpvutejuWHJnQxxaoinoermf" ----- ##### How do we Deal With This? |Col1|5: find decl. 6: reflection 4 2: find method 3 1: find call| |---|---| ###### 5: find decl. 6: reflection 4 ----- **THREATENING** **DEVICE** **TEXT** **LOCKING** ###### DATA ENCRYPTION ----- **DATA** ##### Recap: Encryption **ENCRYPTION** ###### ● Sources: ○ java.io.File: listFiles() or list() ○ java.lang.Runtime: exec() ● Sinks: ###### Ah f UI d! ----- **DATA** ##### Find Static Encryption Flows → FlowDroid **ENCRYPTION** ###### file pointer → byte[] byte[] → cipher's update Not propagated by default, but very efficient to do ----- ##### Great! We Have a Pipeline! ----- ##### But it Takes Time ----- ##### 12 secs. vs. manual RE is OK. But... ----- ##### Machine Learning Classification Approach ###### ○ J48 decision tree ○ Random forest ○ Decision table ----- ##### Features ###### ● Lot's of research on that ● We borrow some features, not the way to use them ○ Permissions (boolean) ■ yes/no array of requested Android permissions ○ File Statistics (numeric, novel) ■ File size ■ Number of permissions ■ Number of services, activities, receivers, avg. class size, number of packages ○ Lightweight behavioral features (boolean, novel) ■ Send SMS or reads phone info onStartup() ■ Calls native utils (e.g., ls, grep, root, chmod) ■ ... ○ Other features (boolean, novel) ###### ■ is package name composed by a single part? ■ does the reversed package name match a real domain name? ----- ##### Fast and Precise! ~12 secs → ~1.25 secs ----- ----- ## EXPERIMENTS ----- ##### Datasets ###### Ransomware daily feed ~38,425 (and counting) ----- ##### Results ###### ● False positives (~0.07%) ○ Corner case: large portions of law- or copyright-related text (EULA) ○ 6 benign apps used to extensively modify the UI ○ 1 adware app ● Detection rate (~99%) ○ 49 samples turned out to be mislabeled ○ 4 were actually ransomware, but somewhat disarmed/not working ○ 11 language unsupported (Spanish, Russian) ■ Extended the language classifier right away (30 minutes manual work) ○ All the rest was correctly classified ----- ## WAIT WAIT… THE TOOL, THE TOOL! ----- ##### HelDroid: Source Code Release! ----- ###### http://ransom.mobi/scans/ ----- ----- ----- ----- ----- ##### FROM A SURVEY (run by Trend Micro in UK) ###### Before infection Upon infection Recovery ----- ##### FROM A SURVEY (run by Trend Micro in UK) ###### Before infection Upon infection Recovery ###### ~74% won't pay ----- ##### FROM A SURVEY (run by Trend Micro in UK) ###### Before infection Upon infection Recovery ###### ~74% won't pay ###### ~65% paid ----- ##### FROM A SURVEY (run by Trend Micro in UK) ###### Before infection Upon infection Recovery ###### ~74% won't pay ###### ~65% paid ###### ~35% no data ----- ##### WHY RANSOMWARE IS DIFFERENT ----- ##### MORE SURRENDERS → MORE PAYMENTS ----- ##### VICIOUS CIRCLE AMPLIFIERS: INSURANCES ##### AMPLIFIERS: INSURANCES ###### "[...] we’ll reimburse [...] up to $1000 per endpoint, or $1,000,000 in protection overall for the company. Guaranteed." Thanks! The crooks are super happy now! All they need to do is target all customers of this vendor, and get to ~1000 endpoints, asking $1,000,000 overall ----- ##### VICIOUS CIRCLE AMPLIFIERS: INSURANCES ###### "It’s time for security companies to back their technology and provide users with the financial assurance they deserve against ransomware attacks." No seriously? Think for a minute about the global, long-term effect of this idea... ----- ## THANK YOU ###### Why Ransomware Comes as a Plot Twist ###### in the Cat-Mouse Game ###### Federico 'phretor' Maggi ~ @phretor - http://maggi.cc && Stefano 'raistlin' Zanero Nicolò Andronio Nicola della Rocca Chengyu Zheng ----- ### EXTRA SLIDES ----- ----- ###### (source) -----