Join Us!

Forensic analysis o...
 
Notifications
Clear all

Forensic analysis of a ramnsware attack  

  RSS
Ibernato
(@ibernato)
Junior Member

Hi everyone,
I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?

Quote
Posted : 21/08/2019 8:43 pm
tracedf
(@tracedf)
Active Member

I think you're conflating two issues.

1) To what extent are files affected by ransomware able to be recovered with data recovery tools?
2) Which data recovery or file carving tool is most effective?

ReplyQuote
Posted : 22/08/2019 1:36 am
athulin
(@athulin)
Community Legend

I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?

Thesis to me is a serious piece of scientific study. However, the term seems to be used for other purposes. If this is one of those, I'm not interested. I'm assuming it isn't.

Any ransomware attack software? Or only one? Or some subset? How is a ransomware attack – in the perspective of this study – different from a 'rename to random file names and delete'? I.e. what components of the ransomware attack are relevant for your study?

Where is the limits of 'possibility'? And what are the criteria for 'recover'? Only file contents? Or file contents as well as metadata?
Only one file out of … 50000? 50%? Are there factors that are independent of the 'ransomware' that affect recovery rate? How much will your study be affected by them?

What do you want to be able to conclude? Yes it is possible, under a lot of assumptions? (Not a useful scientific result, that). Yes, at least 75% files can always be recovered? (Raises some questions …) Or something along those lines?

You should have a thesis advisor, who understands the scope and goals of the thesis in general. That's the right person to discuss such details with.

As far as I know, WannaCry encrypted files, and offered decryption for payment. If you're looking for remains of original files, you're basically doing a study of file carving, and the ransomware component does not seem to be entirely relevant (at least as far as I can see from your overview).

Or, you are doing a study of a particular family of ransomware, and how they try to make original file content inaccessible. Of course, if they overwrite files … file carving is not likely to be effective.

Before you decide, do a preliminary literature study who has already looked into this? How would your study differ from theirs? (If not at all, … there's little reason to do a new study. It may be worthwhile to repeat it, but that's a slightly different approach.)

ReplyQuote
Posted : 22/08/2019 6:22 am
Ibernato
(@ibernato)
Junior Member

I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?

Thesis to me is a serious piece of scientific study. However, the term seems to be used for other purposes. If this is one of those, I'm not interested. I'm assuming it isn't.

Any ransomware attack software? Or only one? Or some subset? How is a ransomware attack – in the perspective of this study – different from a 'rename to random file names and delete'? I.e. what components of the ransomware attack are relevant for your study?

Where is the limits of 'possibility'? And what are the criteria for 'recover'? Only file contents? Or file contents as well as metadata?
Only one file out of … 50000? 50%? Are there factors that are independent of the 'ransomware' that affect recovery rate? How much will your study be affected by them?

What do you want to be able to conclude? Yes it is possible, under a lot of assumptions? (Not a useful scientific result, that). Yes, at least 75% files can always be recovered? (Raises some questions …) Or something along those lines?

You should have a thesis advisor, who understands the scope and goals of the thesis in general. That's the right person to discuss such details with.

As far as I know, WannaCry encrypted files, and offered decryption for payment. If you're looking for remains of original files, you're basically doing a study of file carving, and the ransomware component does not seem to be entirely relevant (at least as far as I can see from your overview).

Or, you are doing a study of a particular family of ransomware, and how they try to make original file content inaccessible. Of course, if they overwrite files … file carving is not likely to be effective.

Before you decide, do a preliminary literature study who has already looked into this? How would your study differ from theirs? (If not at all, … there's little reason to do a new study. It may be worthwhile to repeat it, but that's a slightly different approach.)

My purpose is to examine a set of ransomware and test the effectiveness of recovery tools.
I haven't found anything in the literature about it.
The aim of the thesis is therefore to understand if it is possible to recover files after a ransomware attack and study their evolution.
I want to recover the contents of the file.
I give an example. I have a set of photos, pdf files, word files and I want to recover them if I get infected with a ranmsoware.

ReplyQuote
Posted : 22/08/2019 9:20 am
trewmte
(@trewmte)
Community Legend

Hi everyone,
I'm thinking of doing a degree thesis which consists in examining the various tools available (foremost, scalpel, etc) to see if it is possible to recover files deleted by a ramnsomware.
For now I have tested WannaCry and foremost has recovered my files.

Do you think it's a good idea or is it to be discarded?

Is that examination post-exploit (held to ransom) or post-release (ransom paid or alternative method of release found)?

Are you examining disc memory or RAM or both?

ReplyQuote
Posted : 22/08/2019 9:52 am
jaclaz
(@jaclaz)
Community Legend

In layman's terms
1) a ransomware encrypts files with a given encryption engine and with a given password, usually only a subset of document files are encrypted (i.e. by extension for example, .doc, .docx, .xls, .xlsx, .pdf, etcetera).
2) a ransomware may have vulnerabiilities that can be leveraged to either derive the password used or decrypt the encrypted files with another password/using a different algorithm
3) a ransomware may zero out the original file or simply delete it, in this latter case some (most often partial or very partial) recovery (of the original, non-encrypted file) is possible

Specifically for Wannacry, some decrypting tools are available
https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-file-decryptor

https://github.com/aguinet/wannakey

https://github.com/gentilkiwi/wanakiwi/releases

though they only work in some speciific cases and with spoecific versions of the ransomware.

If the specific ransomware (and/or the "right" conditions are not met) is not supported by one of the available tools, the files are NOT decryptable and it is way over the capabilities of a bachelor's degree student (without - besides the UNI formation - years of experience in cryptography and programming) to write such a decrypting program.

If it is the case #3 above, as athulin suggested, there is very little connected to the actual ransomware, and everything revolves around recovering deleted files/ filesystem carving and similar, in itself nothing particularly "new" or (IMHO) with the relevance to be object of a thesis.

At the most you will be able to compile a list of exact versions of various ransomwares that in your experiments do behave as described in #3, but the amount of recoverable/recovered files will depend on a wide number of other factors (OS. filesystem used, actual use of the specific machine and of its storage units and *what not*) so that your results won't likely be reliable/repeatable in different setups.

jaclaz

jaclaz

ReplyQuote
Posted : 22/08/2019 11:48 am
athulin
(@athulin)
Community Legend

My purpose is to examine a set of ransomware and test the effectiveness of recovery tools.
I haven't found anything in the literature about it.
The aim of the thesis is therefore to understand if it is possible to recover files after a ransomware attack and study their evolution.
I want to recover the contents of the file.
I give an example. I have a set of photos, pdf files, word files and I want to recover them if I get infected with a ranmsoware.

That sounds like investigating a) does the strain of ransomware leave any original contents on the disk? (that question alone seems to me like a useful minor thesis, if it covers multiple types of known ransomware), b) how much original content remains? (Easy to do, by having each individual sector-/cluster-size data identify itself, and then look for those signatures. Alternatively, sector-hash existing content, and check post-factum sector hashes with pre-infection data.)

ReplyQuote
Posted : 22/08/2019 11:50 am
Ibernato
(@ibernato)
Junior Member

Is that examination post-exploit (held to ransom) or post-release (ransom paid or alternative method of release found)?

Are you examining disc memory or RAM or both?

Post-exploit and only disc memory for my thesis.

That sounds like investigating a) does the strain of ransomware leave any original contents on the disk? (that question alone seems to me like a useful minor thesis, if it covers multiple types of known ransomware), b) how much original content remains? (Easy to do, by having each individual sector-/cluster-size data identify itself, and then look for those signatures. Alternatively, sector-hash existing content, and check post-factum sector hashes with pre-infection data.)

This is my idea of thesis.
A file is stored using clusters.
When a file is deleted, those sectors remain unallocated, but there are still traces of that file until they are overwritten.

The ranswomware what it does it reads the original file and creates an encrypted copy. Finally delete the original file. However, the original file may still be present on the disk. So if you immediately use these tools, you could recover files.

So in my thesis I will make a list with the statistics of the recovered files.
Then there will be a chapter where we will discuss defense strategies to avoid losing data (backup, etc.).

Do you think it is a useless thesis? My professor seemed excited about this kind of work.

ReplyQuote
Posted : 22/08/2019 3:29 pm
jaclaz
(@jaclaz)
Community Legend

It is not "useless", it is IMHO very "narrow" (as AFAIK only some, not all ransomwares behave like that) and (still IMHO) very "vague", as said the issue is that the ransomware - by design - operates while the system is in use, so any results you will get will depend on the use of the computer while and after the ransomware started.

What you will get is some percentage (let's call it "probabilities") data of recoverability on an "idle" system.

What if the system is
1) a workstation
2) a network server
3) a mail server
4) etc.

How will the actual usage affect recoverability?

Is there a difference between a server with 42 clients connected and a self-standing workstation?

Is there a difference between a workstation concurrently running (say) Word to write a letter and one concurrently running (still say) Photoshop to retouch large images?

What will happen if (Vista +) the automatic (weekly) disk defrag/optimization kicks in?

What will happen if an automatic update (for the sake of the reasoning Windows 10) starts?

jaclaz

ReplyQuote
Posted : 22/08/2019 4:06 pm
Ibernato
(@ibernato)
Junior Member

What will happen if (Vista +) the automatic (weekly) disk defrag/optimization kicks in?

What will happen if an automatic update (for the sake of the reasoning Windows 10) starts?

jaclaz

Exactly. The premise is that the right precautions are immediately put in place before defragmentation begins.
The same applies to SSDs, which have the TRIM command. If TRIM is executed then all data will be lost.
Thus, this procedure will only be successful if it is done immediately.
In fact I will write this in the premises of the thesis.

ReplyQuote
Posted : 22/08/2019 5:34 pm
trewmte
(@trewmte)
Community Legend

Is that examination post-exploit (held to ransom) or post-release (ransom paid or alternative method of release found)?

Are you examining disc memory or RAM or both?

Post-exploit and only disc memory for my thesis.

OK got it.

Do you think it is a useless thesis?

Absolutely not. Your idea for this thesis is worth pursuing.

Remember your contribution adds to the principle "one-thesis-attempts-to-improve-upon-another". As a researcher my image I have attached below might hopefully make that point clearer

I have a large research collection of materials about ransomware, so do ask if there is a particular point you seek clarification.

Lastly, I saw you intended to use Scalpel. That reminded me of a statement in the book - The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory (2014). Just in case you haven't read that book…

Occasionally, people still attempt to reconstruct a file from a memory sample using traditional file carving tools, such as Scalpel (https://github.com/sleuthkit/scalpel). In most instances, they attempt to run a carving tool directly against a memory sample. These tools linearly scan the data, looking for specific signatures associated with well known file formats. Unfortunately, most of these tools assume the file data is contiguous and that the media being analyzed contains a whole copy of the file. This is a problem when dealing with RAM because the data stored in physical memory is inherently fragmented, and only parts of a file may actually be loaded into memory. As a result, except for files smaller than a page of memory, you are probably not going to extract the data you expect.

Alternatively, it is possible to use a plugin like memdump to extract the virtual address space of a particular process, and scan it using a linear file-carving tool. Although this can help address the issues with non-contiguous data, you still may lose important context associated with non-resident memory pages.

ReplyQuote
Posted : 22/08/2019 7:18 pm
jaclaz
(@jaclaz)
Community Legend

Exactly. The premise is that the right precautions are immediately put in place before defragmentation begins.
The same applies to SSDs, which have the TRIM command. If TRIM is executed then all data will be lost.
Thus, this procedure will only be successful if it is done immediately.
In fact I will write this in the premises of the thesis.

That is not a premise, it is an assumption (and a "bad" one while we are at it).

The "right precautions" are EITHER
1) put in place BEFORE any ransomware attack is possible
OR
2) put in place AFTER a ransomware is detected BUT BEFORE defragmentation (or ANY OTHER filesystem/disk intensive activity) takes place

The problem with #2 is that a lot of time may pass between the ransomware starting encrypting all your documents and it being detected, the whole point of these ransomwares is that normally they are detected with some delay (when they finish encrypting and ask for the ransom) so if there is actually anything automated in the background or - like the example I suggested - a "huge" Photoshop session running, there will be a lot of damage done.

Besides, a number of the known "remedies" only work if you can image the memory and extract the decryption keys from it, whilst the only "really quick" way to stop a defrag, or the creation of temp files, etc. is that of "pulling the plug".

It is a hard decision to make, keep the system powered on, capture the memory and hope that a decryption tool exists or will come out or cut the power thus minimizing disk writes potentially destroying the original data (deleted but still - partially - recoverable)?

Before I forget, another variable, how does disk occupation influence the recovery?
I mean, is recovering files from a - say - 95% filled filesystem (5% free space) the same as recovering from a 25% filled system (75% free space)?

How would the number of "encryptable" files influence the behaviour?
I mean, if you have a storage disk with all .doc and .docx files, will it behave differently from a "normal" system disk with thousands of files that the ransomware won't touch?

I know that it seems like I am putting before you a lot of difficulties, but rest assured that it is only to help you consider as much as possible the different aspects of the matter before you take a path that you may later regret having taken.

jaclaz

ReplyQuote
Posted : 22/08/2019 7:22 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

QUESTION Would it be possible to roll back or restore Volume Shadow Copies to recover a non-encrypted volume? Or would the Volume Shadow copies themselves be encrypted as well by the ransomware and thus inaccessible to be even restored?

ReplyQuote
Posted : 22/08/2019 10:33 pm
jaclaz
(@jaclaz)
Community Legend

QUESTION Would it be possible to roll back or restore Volume Shadow Copies to recover a non-encrypted volume? Or would the Volume Shadow copies themselves be encrypted as well by the ransomware and thus inaccessible to be even restored?

ANSWER yes and no.

Most ransomware will attempt to delete existing shadow copies, many using vssadmin, one of the suggested forms of preventive protection is to rename or disable, etc. vssadmin.exe
https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
some use instead wmic shadowcopy delete /nointeractive (but both need the VSS service running), one approach is to only enable the service when creating a shadow copy
http//itsimple.info/?p=1180

Recovering their contents from a deleted shadow copy may be possible or it may not
https://i.blackhat.com/us-18/Thu-August-9/us-18-Kobayashi-Reconstruct-The-World-From-Vanished-Shadow-Recovering-Deleted-VSS-Snapshots.pdf

(again if it has been not overwritten by *something else*)

jaclaz

ReplyQuote
Posted : 23/08/2019 8:42 am
Ibernato
(@ibernato)
Junior Member

Absolutely not. Your idea for this thesis is worth pursuing.

Remember your contribution adds to the principle "one-thesis-attempts-to-improve-upon-another". As a researcher my image I have attached below might hopefully make that point clearer

I have a large research collection of materials about ransomware, so do ask if there is a particular point you seek clarification.

Lastly, I saw you intended to use Scalpel. That reminded me of a statement in the book - The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory (2014). Just in case you haven't read that book…

Occasionally, people still attempt to reconstruct a file from a memory sample using traditional file carving tools, such as Scalpel (https://github.com/sleuthkit/scalpel). In most instances, they attempt to run a carving tool directly against a memory sample. These tools linearly scan the data, looking for specific signatures associated with well known file formats. Unfortunately, most of these tools assume the file data is contiguous and that the media being analyzed contains a whole copy of the file. This is a problem when dealing with RAM because the data stored in physical memory is inherently fragmented, and only parts of a file may actually be loaded into memory. As a result, except for files smaller than a page of memory, you are probably not going to extract the data you expect.

Alternatively, it is possible to use a plugin like memdump to extract the virtual address space of a particular process, and scan it using a linear file-carving tool. Although this can help address the issues with non-contiguous data, you still may lose important context associated with non-resident memory pages.

Thanks and yes, give me more information.

That is not a premise, it is an assumption (and a "bad" one while we are at it).

The "right precautions" are EITHER
1) put in place BEFORE any ransomware attack is possible
OR
2) put in place AFTER a ransomware is detected BUT BEFORE defragmentation (or ANY OTHER filesystem/disk intensive activity) takes place

The problem with #2 is that a lot of time may pass between the ransomware starting encrypting all your documents and it being detected, the whole point of these ransomwares is that normally they are detected with some delay (when they finish encrypting and ask for the ransom) so if there is actually anything automated in the background or - like the example I suggested - a "huge" Photoshop session running, there will be a lot of damage done.

Besides, a number of the known "remedies" only work if you can image the memory and extract the decryption keys from it, whilst the only "really quick" way to stop a defrag, or the creation of temp files, etc. is that of "pulling the plug".

It is a hard decision to make, keep the system powered on, capture the memory and hope that a decryption tool exists or will come out or cut the power thus minimizing disk writes potentially destroying the original data (deleted but still - partially - recoverable)?

Before I forget, another variable, how does disk occupation influence the recovery?
I mean, is recovering files from a - say - 95% filled filesystem (5% free space) the same as recovering from a 25% filled system (75% free space)?

How would the number of "encryptable" files influence the behaviour?
I mean, if you have a storage disk with all .doc and .docx files, will it behave differently from a "normal" system disk with thousands of files that the ransomware won't touch?

I know that it seems like I am putting before you a lot of difficulties, but rest assured that it is only to help you consider as much as possible the different aspects of the matter before you take a path that you may later regret having taken.

Ok, I understand.
Thanks

ReplyQuote
Posted : 26/08/2019 7:51 am
Share: