The 8th edition of DefCamp is just around the corner and the first batch of speakers is almost ready to be announced. I you are keen to learn more about ransomware then this year’s presentation of Raul Alvarez, Senior Security Researcher, Malware Reverse Engineering Trainer at Fortinet will definitely answer your expectations. At our kind request, he disclosed the good, the bad and the ugly of what you will learn about ransomware infections during DefCamp 2017.
We have seen the rise of ransomware a couple of years ago or so. Common names such as Cryptowall, Virlock, Locky, and so on, and of course, who would miss WannaCry. It is all over the press, and just recently, the notPetya, which resembles the Petya ransomware.
Most ransomware encrypt files and ask for ransom. Some lucky people who paid the ransom were able to get their files back, but that is not always the case. There are different ways a ransomware attacks your system. The common one is that it encrypts your files. Some such as Virlock, they also infect your executable files. They inherit the functionality of a file infector. They attach themselves to the executable files and spread once the infected file is executed.
Going back to the Petya variants, instead of encrypting your files, the malware hijacks your Master Boot Record (MBR). It contains information about how your computer starts. It is also the one that determines which harddisk partition the boot up process starts. What Petya does is to overwrite the MBR with its own code. It also has its mini kernel that runs when you restart the infected computer. Although Petya doesn’t encrypt your files, it encrypts the MFT entries in the system. All files in your computer have an entry in the MFT (Master File Table), once these entries are encrypted, technically, you won’t be able to access your files.
In my upcoming presentation for DefCamp #8, we will go deeper into Petya’s code. I will share with you the tools and steps to follow the malware behaviour. We will also see how the infected MBR executes by using a debugger known as Bochs. It is a special debugger where you can emulate and see how the low level boot process works.
As part of my presentation, we are also going to see how we can use a combination of different tools to figure out how a ransomware can infect the very first sector of a hard disk. Tools, such as Disk Management, DISKPART, WinObj, Process Monitor, and HDHacker. And of course, x64dbg and ollydbg for debugging the ransomware in application-level.
For a bit of advice, sometimes, if your important files are encrypted, and you are tempted to pay the ransom, always know that there is no guarantee that you will get your files back. Your best defense is to always have backups. It is not a matter of “if you will be infected or not”, it is the “when you will be infected”.