antiransomware tools thoroughly tested part 1
TRANSCRIPT
![Page 1: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/1.jpg)
Information Security Inc.
AntiRansomware Tools
Thoroughly Tested Part 1
![Page 2: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/2.jpg)
Information Security Confidential - Partner Use Only
Contents
2
• What is Ransomware?
• Rise of Ransomware
• Ransomware Testing Environment
• Cybereason RansomFree
• References
![Page 3: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/3.jpg)
Information Security Confidential - Partner Use Only
What is Ransomware?
3
• Ransomware is a type of malicious software from cryptovirology
that threatens to publish the victim's data or perpetually block
access to it unless a ransom is paid
• Ransomware is malicious code that is used by cybercriminals to
launch data kidnapping and lockscreen attacks
• The motive for ransomware attacks is monetary
![Page 4: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/4.jpg)
Information Security Confidential - Partner Use Only
Rise of Ransomware
4
![Page 5: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/5.jpg)
Information Security Confidential - Partner Use Only
Ransomware Testing Envinronment
5
• Victim machine: Windows 7 Ultimate SP1 x64
• Ransomware: Zepto ransomware (https://www.tripwire.com/state-
of-security/latest-security-news/the-newest-online-threat-zepto-
ransomware/)
![Page 6: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/6.jpg)
Information Security Confidential - Partner Use Only
Cybereason RansomFree
6
• Download link: https://ransomfree.cybereason.com/download/
• How does RansomFree work?
![Page 7: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/7.jpg)
Information Security Confidential - Partner Use Only
Cybereason RansomFree
7
• How does RansomFree work?
◎ CybereasonRans uses !NtCreateFile function (https://goo.gl/dNd3Hx) to create bait
folders and files in mutiple locations◎ Creating bait folders
![Page 8: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/8.jpg)
Information Security Confidential - Partner Use Only
Cybereason RansomFree
8
• How does RansomFree work?
◎ CybereasonRans uses !NtCreateFile function (https://goo.gl/dNd3Hx) to create bait
folders and files in multiple locations◎ Creating bait files inside the folders
![Page 9: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/9.jpg)
Information Security Confidential - Partner Use Only
Cybereason RansomFree
9
• How does RansomFree work? When detecting suspecting behavior kill the process
![Page 10: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/10.jpg)
Information Security Confidential - Partner Use Only
Cybereason RansomFree
10
• How does RansomFree work?
◎ Ransomware is adding .zepto extension to bait files using NtSetInformationFile function
(https://goo.gl/3V1UMv)
![Page 11: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/11.jpg)
Information Security Confidential - Partner Use Only
Cybereason RansomFree
11
• How does RansomFree work?
◎ RansomFree kills ransomware’s threads and the parent process and loads a new
image of itself starting a new process with ID 244
![Page 12: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/12.jpg)
Information Security Confidential - Partner Use Only
Cybereason RansomFree
12
• How does RansomFree work?
◎ Thread stack before exiting
◎ BaseThreadInitThunk function (https://goo.gl/rm79Bd) calls the thread start address. If
the thread returns it will terminate the thread and delete it’s stack
![Page 13: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/13.jpg)
Information Security Confidential - Partner Use Only
Cybereason RansomFree
13
• How does RansomFree work?
◎ RansomFree deletes files generated by ransomware
![Page 14: AntiRansomware Tools Thoroughly Tested Part 1](https://reader031.vdocument.in/reader031/viewer/2022012104/616a16fc11a7b741a34eb13b/html5/thumbnails/14.jpg)
Information Security Confidential - Partner Use Only
References
14
• Wikipedia
https://en.wikipedia.org/wiki/Ransomware
• Knowbe
https://www.knowbe4.com/ransomware
• Heimdal security
https://heimdalsecurity.com/blog/what-is-ransomware-protection