top of page
fracforihoshy

Traps Ransomware Module: A Behavior-Based Solution to Stop Encryption Attacks



So I made an exclusion for the powershell. exe process, in which I deactivated the AntiRansomware module. After that the files are no longer visible with the command Get-ChildItem!!! *, but the python. exe process still sees the files. Means that the files are not actually present. These are really files simulated by traps for all processes. After the first default rule, this rule applies to all processes. After that, however, there are some compatibility rules where PaloAlto excludes the anti-ransom virus protection for certain processes. PaloALto has even more possibilities than us via GUI, they also have exclusions about the directories to be monitored.




Traps Ransomware module




Either way, no traps alert is generated. Also there is no alert if the filename is appended with another character instead of !!!!!!! 2523101513. pst,!!!!!! 2523101515139. pst. This means that it only monitors these simulated files. A new Ransomware that writes other file names, even if they start with five exclamation marks or ZZZZ, will not give an alert.


Important! Please proceed with caution during the steps above. While troubleshooting the Client Policy, the Endpoint should be isolated from the network and secured. While the Traps service is stopped, Wildfire, Restrictions, and Process Reporting will not work. Endpoint Protection Module (EPM) and Malware Protection Module (MPM) modules will. Also, the Agent will not communicate with the Endpoint Security Manager (ESM), so changes to the policies will not apply as long as the CyveraService service is stopped on the Endpoint.


The essence of the module is pretty simple. It creates a range of Canary files in various directories and if ever one such file is touch by a process (ie. Cryptolocker), the offending process is immediately shut down.


The PoC script below will mimic a ransomware, it will wipe the whole D: drive except some pre-excluded files and folders ($TrustedFiles and $TrustedFolders).When running this script, Traps (version 4.1.0 and above, with the Anti-Ransomware module activated) will flag it as a ransomware and kills the process, that is because it is performing bulk files/folders modification:


Over the past two years, firmware threats have gone from being the secret weapons of nation-state threat actors to everyday, commoditized threats used in some of the most widespread malware, ransomware, and attack campaigns in the world. Yet, many organizations are still in the earliest phases of building out their firmware security strategy, which can leave a gap for attackers.


TrickBot is estimated to be the #1 most common form of malware affecting enterprises today. TrickBot is a highly modular trojan that specializes in persistence and lateral movement and is an enabler for a wide range of other malware such as Conti and Ryuk ransomware.


The archive downloaded by the NSIS-packed dropper is a 7z self-extracting executable and contains different modules, all distributed as 7z password-protected archives. This downloaded archive contains the different modules used by this campaign. The picture below better describes the overall installation process and shows the different modules.While the different modules have very different purposes, they are all similarly packaged and a lot of them are signed with a valid code-signing certificate. We found four different certificates used since the campaign started, all registered to companies in Moscow. We of course notified the certificate issuer to have them revoked.


All the modules that make up this threat share a common install procedure. They are all 7z self-extracting executables that first decompress a password-protected archive and then execute an install.cmd file. The following is the first install.cmd file that gets invoked after the first module has been downloaded and executed:


The first approach uses two files, l1.exe and cc1.exe, which implement a variant of the trick used in the leaked Carberp source code. It copies cryptbase.dll to %USERPROFILE%, patches it so that it launches the malware on execution and packs it as a MSU file. Finally, it uses wusa.exe to copy it to the system directory before launching it. The other technique exploits CVE-2013-3660. Each module that requires privilege escalation has a 32- and 64-bit version of this exploit. If gaining administrator privileges is required, the install.cmd file will try to use either of these techniques to escalate privileges locally in order to install the different modules.


While tracking this campaign, we downloaded different overall packages. Interestingly, the modules they contained were not the same. This leads us to believe that different targets might receive different modules.


This module is responsible for spying on the user and communicating with the C&C. It will first install Punto, software made by Yandex that can automatically change keyboard language as the user types. The cybercriminals are then misusing this software to run the spying module through DLL side loading and are using it to


The module that is ultimately responsible for these tasks is an encrypted DLL that is decrypted and loaded into memory at runtime by the Punto process. It launches three threads that will ultimately perform the work outlined above. The fact that Punto is misused by this malware for keylogging purposes is not surprising: several Russian forums detail explicitly how to misuse this application for this purpose.


This module uses RC4 to encrypt its strings as well as its network communication. It will reach out to the C&C every two minutes, transmitting any data that have been stolen from the compromised system. A screenshot of a network communication as well as the different commands that can be received from the server are shown below.


Lightning Framework is built using a simple structure: a downloader component that will download and install the malware's other modules and plugins, including its core module, on compromised Linux devices.


After reaching out to its command-and-control (C2) server over TCP sockets using C2 info stored in undetectable polymorphic encoded configuration files, Lightning Framework fetches its plugins and the core module.


A fourth Linux malware strain, a rootkit dubbed Syslogk unveiled by Avast researchers last month, has the capability to force-load its modules into the Linux kernel, backdoor infected machines, and hide network traffic and artifacts to evade detection.


Spam traps are fraud management tools that help Internet Service Providers (ISPs) identify and block spammers. They help make your inbox safer by blocking vulnerabilities. A spam trap is a fake email address used to bait spammers. Legitimate mail is unlikely to be sent to a fake address, so when an email is received, it is most likely spam.


Unavoidable ransomware trap makes ransomware impossilbe to fulfill its business logic without being caught. This patent pending technology is a recent addition to our powerful EDR. It can precisely detect and stop ransomware at run time, and restore user data files after encrypted. It is implemented as a Windows kernel module, runs at the lowest level of the system with the privilidge to take down ransomware attacks during run time. After it stops ransomware program, it cleans up ransomwam remains and restores user data files back to its original content, even the file content is encrypted.


This advanced feature has made TXShield (EDR) successfully detected and stopped the most recent ransomwares, such as Petya, BlackMatter, Matryoshka, and many others. With TXShield, user never need to worry about ransomware attacks.


TXShield has built-in advanced sandbox, AV engine, IOC query, IOD investigation, B/W list, vulnerability scanning, email born malware scanning, post run program investigation, WMI hooks validation, FW rules changing monitoring, AI/DL and Yara rule based detection, malicious network activites moniting, SOC automation, deleted file searching, USB protection, network isolation, auditing, and its most recent patent pending technology against ransomware attacks to protect and restore user data files after encryption.


Our patent pending technology, unavoidable ransomware trap, directly targets ransomware's core business logic, makes it impossible to fulfill its goal for ransom demanding. The design and implementation goes into Windows system kernel, watching for ransomware's behavior, stops it at run time and restores encrypted user data file. It precisely detect all kinds of ransomware at run time without needing update.


With potential threats all around us, it is no longer safe to solely rely on network-based firewall appliances (perimeter) at the edge of your local network. Protecting against lateral movement of malware is now important as targeted ransomware often silently resides in your network, gathering valuable intelligence and finding vulnerabilities in your IT infrastructure. When it eventually breaks out, your business will be at stake, as not only is your data encrypted, but the time and costs involved in restoring your IT infrastructure and reputation will be significant.


NAS is often entrusted with valuable personal and business data and this makes it a frequent target of malware such as targeted ransomware. The QGD-1602P can protect storage environments with NAS devices of all brands, assisting in scanning traffic to NAS devices for hostile actions and effectively protecting private and confidential data from malicious activities.


Remind security leaders and cyber security ambassadors to monitor employee phishing awareness with phishing simulations. They can also use phishing micro learning modules to educate, train, and change the behavior of employees. 2ff7e9595c


0 views0 comments

Recent Posts

See All

Comments


bottom of page