Ransomware is becoming increasingly sophisticated. Comparing today’s ransomware to yesterday’s malware is like comparing a computer to an abacus. One advanced example is “Locky,” a CryptoLocker variant that deletes all “Volume Shadow Copies” to prevent restoring from backup, and then encrypts the files for ransom. This can be a terrible – and expensive – headache for unprepared IT and security teams.
Shadow Copy is a technology included in Microsoft Windows that allows the taking of backup copies (snapshots) of computer files or volumes. The best part is that these backups can be taken even when the files are in use. It is implemented as a Windows service called the “Volume Shadow Copy Service.”
Shadow copies can be created on local and external (removable or network) volumes by any Windows component that utilizes it, such as when creating a scheduled Windows backup or automatic system restore point.
Based on that description, you can see why the removing of these files is beneficial to attackers. If you cannot recover from backups, you are at their mercy.
Sample detonated for this post:
MD5
c24605589c71eb4835f3ee2654812315
SHA1
b078772e826eaf2c736b96e7844f3828d2666b6f
Initial location on the test system
C:\Users\master\Desktop\c24605589c71eb4835f3ee2654812315.b078772e826eaf2
c736b96e7844f3828d2666b6f.exe
Files Written:
\Device\KsecDD
C:\f1f94d81\f1f94d81.exe
C:\Users\master\AppData\Roaming\f1f94d81.exe
C:\Users\master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f1f94d81.exe
Files Read:
C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\vssadmin.exe
Processes spawned:
C:\Users\master\Downloads\PDMHSOFE\webpage-38715fa8845ad8844759960e8b8a34b3.zip.exe
C:\Users\master\Downloads\PDMHSOFE\webpage-38715fa8845ad8844759960e8b8a34b3.zip.exe
C:\Windows\syswow64\svchost.exe -k netsvcs
C:\Windows\syswow64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\NOTEPAD.EXE C:\Windows\system32\NOTEPAD.EXE C:\Users\master\Desktop\HELP_DECRYPT.TXT
C:\Program Files (x86)\Internet Explorer\iexplore.exe “C:\Program Files (x86)\Internet Explorer\iexplore.exe” -nohome
C:\Program Files (x86)\Internet Explorer\iexplore.exe “C:\Program Files (x86)\Internet Explorer\iexplore.exe” SCODEF:2184 CREDAT:14337
What happens on the host from the host point of view:
The first thing this malware does is delete itself from the original location it was run from and create a new binary in the user’s roaming appdata directory. This is extremely common among Trojan malwares. C:\Users\<username>\appdata\Roaming (Windows 7) is the first place I check for newly created directories and binaries because it is so common.
Next the malware creates a persistence mechanism by copying itself to the user’s startup programs directory. This is a common technique and is a location that should always be checked for new binaries.
The third action this malware takes is to create a hidden folder in the root directory of the files system. You can see below that the folder was created within seconds of the original binary being deleted and the other two binaries being written to the filesystem.
Inside this new file is yet another copy of the binary. It seems like the malware author is afraid of these binaries being found and creates backup plans for their backup plans. That kind of paranoia isn’t healthy.
Next up, the malware starts creating registry values so it can be started in the background each time the user logs in. I can infer their intent because the “Run” and “RunOnce” keys are run each time a new user logs in. These keys are for background services such as remote registry service and are run only once per boot.
After the malware has been running for a while on the system, you start to see files created all over the filesystem called “HELP_DECRYPT.txt” and “HELP_DECRYPT.png.”
Below is a sample of what the file contains. This system has now had its files encrypted, backups deleted, and is being held for ransom.
What happens on the host from the Carbon Black point of view?
So to cheat a bit, since we detonated this malware on purpose, we already know what to look for based on the original filename. In the real world, we don’t have that luxury. To make this workflow as realistic as possible I created a new watchlist on my Carbon Black server. This watchlist looks for the command “C:\Windows\syswow64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet” to be issued on systems. This legitimately will not happen on an enterprise system unless operations explicitly does this. If they do, they will know about it, and you can modify the watchlist accordingly with your corporate process and workflow.
(Side note: We can stop this action from happening by using a custom rule that blocks normal user accounts from running vssadmin. This rule effectively neuters the crypto malware’s ability to delete shadow copies and allows the impacted company to restore from backup instead of paying the ransom. It also removes the ability to execute vssadmin from a native script or command line. This could cause some collateral damage, so modify accordingly with your corporate policy and use cases.)
The next step is waiting for an alert to come through. Once that has happened, we investigate.
Below, we can see the process tree of this file. Based on the alert, which led me to the vssadmin.exe execution, I was able to backtrack up the tree to see that the original process was:
C:\Users\master\Desktop\c24605589c71eb4835f3ee2654812315.b078772e826eaf2c736b96e7844f3828d2666b6f.exe.
This binary has a score of 43/56. I should probably look into what this binary did.
Below, we can see that it spawned three new processes, created four new registry entries, and created 10 new files on the system.
Based on our findings in Carbon Black, combined with open-source intelligence from searching around the Internet, and the score results, we can safely assume this machine is owned and needs to be reimaged. Or you can take the more manual approach and kill the active processes, remove all the files and registry entries that were created, and restore from backups.
All those steps, by the way, can be done via Carbon Black Live Response.
How to restore files encrypted using Shadow Volume Copies
If you have “System Restore” enabled, your system will create shadow copies that hold copies of your files from that moment back. These copies “may,” and I use the term “may” dripping with hope, allow you to restore your files from before they were encrypted. Using shadow copies is not foolproof. Also, the version of the files in the shadow copy may not be the latest version and code be useless to you.
(***Note: Shadow volume copies are a feature only available with WinXP SP2, Vista, Win7, and Win8/8.1.)
There are multiple methods online documenting how to recover with a shadow copy. The method I normally use is the native Windows option. I use it because it has the most probability of being available to me on a Windows system.
To restore individual files:
Right-click on the file
Go into “Properties”
Select the “Previous Versions” tab
This tab lists copies of the file stored in a shadow volume copy and the date backed up.
To restore a particular version of the file:
Click on the “Copy” button
Select the directory to which you wish to restore the file.
To restore the selected file and replace the existing one:
Click on the “Restore” button.
To view the contents of the actual file:
Click on the “Open” button
You can do this before you restore it.
This same method described above can be used to restore an entire folder.
How to prevent this infection
If possible, put any system you can in high-enforcement mode via the Cb Protection console. This will prevent the execution of any unknown binary. Short of that, you can implement a few different types of rules depending on your use case, unique to you environmental variables, and desired outcome.
Below are a few rules I have created for different use cases. This rules are being represented in their most high-level form and not in the format they appear in the Cb Protection console. I did this because even if you aren’t using our products, you can still apply this logic and most of these rules to your environment by leveraging GPO, witchcraft and cursing.
The file paths that have been used by this infection and its droppers are:
C:\f1f94d81\f1f94d81.exe
C:\Users\master\AppData\Roaming\f1f94d81.exe
C:\Users\master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f1f94d81.exe
You can create a software restriction policy using Windows Professional or Windows Server (for a single computer use the Local Security Policy Editor, for an entire domain use the Group Policy Editor).
To open the Local Security Policy editor:
Click on the “Start” button
Type “Local Security Policy”
Select the search result that appears
Expand security settings
Click on the “Software Restriction Policies” section
If you do not see the items in the right pane as shown above, you will need to add a new policy.
Click on the “Action” button
Select “New Software Restriction Policies”
Click on the “Additional Rules” category
Right-click in the right pane
Select “New Path Rule”
You should then add a Path Rule for each of the items listed below.
(***NOTE: If the software restriction policies cause issues when trying to run legitimate applications, you will need to add exception rules. This is where Cb Protection trust scores come in handy.)
Block executable in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from %AppData%.
Block executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from %AppData%
Ransomware is annoyingly effective. The recent additions of features such as removing shadow copies makes it even more dangerous. I hope this guide on recovering from ransomware using Shadow Volume Copies is helpful to some poor soul who got hit. Regardless of what security products you use, your best defense to any attack is user training and backups. Anything preventative you can implement proactively, whether it’s Cb Protection or a manual implementation using native Microsoft tools is going to protect you and your company.
____________________
Looking for more info on ransomware? Click here to download the free eBook.
The post Defeating Locky and Volume Shadow Copies appeared first on Carbon Black.