What is ransomware?
Ransomware stops you from using your PC. It holds your PC or files for ransom.
Some versions of ransomware are called “FBI Moneypak” or the “FBI virus” because they use the FBI’s logos.
What does it look like and how does it work?
There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.
They can:
- Prevent you from accessing Windows.
- Encrypt files so you can’t use them.
- Stop certain apps from running (like your web browser).
They will demand that you do something to get access to your PC or files. We have seen them:
- Demand you pay money.
- Make you complete surveys.
Often the ransomware will claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.
These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.
There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.
Prevalent ransomware
Locky and Cerber are two of the most prevalent and dangerous ransomware currently active.
Locky Recovery Notice
What the Locky encrypted files look like
Detection
So, with Locky on the rise, it got me thinking, what exactly does Locky (and other ransomware) do to your computer? What happens when the ransomware starts processing? Most ransomware—that encrypts files—uses something known as CryptoLocker, which uses a form of AES encryption. Even before Locky starts encrypting files, EXEs are added to folders, and registry keys are added to the registry.
Soo…how do we prevent or at least reduce the impact of ransomware? A simple approach would just be to monitor the computer for ransomwarelike behavior.
Something I came of up with—which is still early in development—is to scan all the known areas that Locky is likely to hit first. This would include common registry keys, EXEs in the user’s Local and Roaming folders, and monitoring ‘marker’ files. A marker file is just a text file in the user’s profile…which has a specific hash number associated with it. If that marker file disappears, is encrypted, or is changed in any way, a script changes from monitoring mode, to alert mode. Likewise, if known ransomware registry keys are detected, a script goes into alert mode. The idea is to create a monitoring script, with low impact to system resources, that will act as a method for early detection. Early detection means less of the files will be encrypted.
This is the start of my script – this would be compiled and ran as a silent process
@echo off title Ransomware Scanner color 0a :: booValean set to false set booVal=FALSE :: reg key to check set regKey=CryptoLocker :: file marker name set fileName=DO_NOT_DELETE :: file extensions to check set fileType1=.EXE set fileType2=.exe set fileType3=.locky :: md5 to check set md5=1914255e58188f70feced69533c99aec Setlocal EnableDelayedExpansion set timer=timeout /t 10 C: cd C:\Users\%username%\AAA :LOOP :: CHECK FOR CRYPTOLOCKER REG KEY cls Echo Scanning computer for ransomware...Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FOR /F "tokens=1" %%A IN ('REG QUERY "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"') DO ( if %%A==%regKey% set booVal=TRUE ) %timer%>nul :: CHECK FOR CRYPTOLOCKER REG KEY cls Echo Scanning computer for ransomware...Checking HKCU\SOFTWARE\CryptoLocker REG QUERY HKCU\SOFTWARE\CryptoLocker IF %errorlevel%==0 GOTO :END :: CHECK FOR CRYPTOLOCKER_0388 REG KEY cls Echo Scanning computer for ransomware...Checking HKCU\SOFTWARE\CryptoLocker_0388 REG QUERY HKCU\SOFTWARE\CryptoLocker_0388 IF %errorlevel%==0 GOTO :END :: CHECK FOR CRYPTOLOCKER REG KEY cls Echo Scanning computer for ransomware...Checking HKCU\SOFTWARE\Locky REG QUERY HKCU\SOFTWARE\Locky IF %errorlevel%==0 GOTO :END :: CHECK FOR EXE IN THE LOCAL FOLDER cls Echo Scanning computer for ransomware...Checking Local Folder for /F "tokens=*" %%U IN ('dir /b C:\Users\%username%\AppData\Local') do ( if [%%~xU]==[%fileType1%] set booVal=TRUE if [%%~xU]==[%fileType2%] set booVal=TRUE ) %timer%>nul if %booVal% EQU TRUE goto :END :: CHECK FOR EXE IN THE ROAMING FOLDER cls Echo Scanning computer for ransomware...Checking Roaming Folder for /F "tokens=*" %%V IN ('dir /b C:\Users\%username%\AppData\Roaming') do ( if [%%~xV]==[%fileType1%] set booVal=TRUE if [%%~xV]==[%fileType2%] set booVal=TRUE ) %timer%>nul if %booVal% EQU TRUE goto :END :: CHECK FOR EXE IN THE DOCUMENT FOLDER cls Echo Scanning computer for ransomware...Checking C:\Users\%username%\Documents for /F "tokens=*" %%W IN ('dir /b C:\Users\%username%\Documents') do ( if [%%~xW]==[%fileType3%] set booVal=TRUE ) %timer%>nul if %booVal% EQU TRUE goto :END :: CHECK FOR EXE IN THE PICTURES FOLDER cls Echo Scanning computer for ransomware...Checking C:\Users\%username%\Pictures for /F "tokens=*" %%X IN ('dir /b C:\Users\%username%\Pictures') do ( if [%%~xX]==[%fileType3%] set booVal=TRUE ) %timer%>nul if %booVal% EQU TRUE goto :END :: CHECK TO SEE IF AAA FILE EXISTS cls Echo Scanning computer for ransomware...Checking AAA_%fileName%.txt if not exist C:\Users\%username%\AAA\AAA_%fileName%.txt set booVal=TRUE %timer%>nul if %booVal% EQU TRUE goto :END :: CHECK TO SEE IF BMP FILE EXISTS cls Echo Scanning computer for ransomware...Checking %UserpProfile%\Desktop\_Locky_recover_instructions.bmp if exist %UserpProfile%\Desktop\_Locky_recover_instructions.bmp set booVal=TRUE %timer%>nul if %booVal% EQU TRUE goto :END :: RETURN AAA FILE CHECKSUM cls Echo Scanning computer for ransomware...Checking MD5 on AAA_%fileName%.txt set count=1 for /F "tokens=* delims=" %%Y IN ('CertUtil -hashfile C:\Users\%username%\AAA\AAA_%fileName%.txt MD5') do ( set var!count!=%%Y set /a count+=1 ) if %booVal% EQU TRUE goto :END :: CHECK TO SEE IF MD5 IS THE SAME -- IF NOT EQUAL, SET TRUE :: removes spaces set var2=%var2: =% if %var2% NEQ %md5% set booVal=TRUE %timer%>nul if %booVal% EQU TRUE goto :END CLS echo Old MD5: %var2% echo New MD5: %md5% echo Detect: %booVal% %timer%>nul goto :LOOP :END CLS echo Old MD5: %var2% echo New MD5: %md5% echo Detect: %booVal% echo. echo msgbox " Ransomware has been detected^!" > "%temp%\popup.vbs" wscript.exe "%temp%\popup.vbs" set booVal=FALSE goto :LOOP
Notes
https://blog.malwarebytes.org/threat-analysis/2016/03/look-into-locky/
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information