POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME presented at BlackHatEU 2016

by Stefano Zanero, Federico Maggi,

Summary : While we have grown accustomed to stealthy malware, specifically written to gain and maintain control of the victim machines to abuse their resources, ransomware really comes as a "plot twist!" After 10+ years of stealthy malware, spread mainly for building botnets and steal information, for the second time we're witnessing a growth of disruptive malware, and an interest for direct and fast profit. Ransomware is a particularly striking example of disruptive malware, both on mobile and desktop targets: While traditional mass malware must fly under the radar to fulfill its goals, a ransomware attack that remains unaccountable has failed miserably. It must show up to inform and frighten the victim! As a result, the human psychological response to the attack plays a significant role in the success of ransomware schemes. And, given the remarkable revenue, the scheme seems to be working fairly well.
This talk will describe the technical impact of disruptive malware and its game-changing approach, which made us (at least) rethink our incident-response plans. We will focus on mobile ransomware as a representative, extreme case study. Albeit not very studied, we are currently tracking 10 distinct families, and collected tenths of thousands distinct samples in three months. In this talk, we will go through the most notorious families such as Koler, SLocker, Svpeng (and mention the other notable ones), overviewing their social-engineering tricks and how they are technically implemented. This will include, for instance, how an app can effectively lock a device to forcefully display the typical threatening message that informs the victim of what just happened, or how crypto and file-system APIs are (ab)used to surreptitiously encrypt the valuable data.
After having overviewed these aspects, we will describe how they can be effectively detected with specific static features. We will present a lightweight Smali emulator to track the instruction sequences that implement device-locking mechanisms. To detect malicious encryption attempts, we will present a static, dataflow-based program-analysis technique and tool that track file-system operations (e.g., file listing, file reading) to determine if they are "connected" to encryption flows. Since the most recent families have started to abuse the device-administration API (e.g., to lock the device), obfuscated method names and reflection to hinder automatic static analysis, we will show a couple of counter-tricks.
Last, we will show how the threatening messages can be recognized from normal text using a language-analysis technique, which classifies text based on the appearance of key terms frequently found in ransomware samples but not in benign sources. Since static program-analysis approaches like ours can be time and resource consuming, we describe a fast triaging pre-filtering technique to quickly discard strikingly benign applications. This filter is generic and ransomware-agnostic. Thus, in principle, it could be applied to any app-vetting pipeline. With this talk we will release the source code of a prototype that implements (part of) the described techniques, and a dataset comprising tenths of thousands of ransomware applications targeting the Android platform, each labeled with the set of features that characterize their statically-extracted behavior.