DeepSec 2021 Talk: When Ransomware fails – Sreenidhi Ramadurgam

Sanna/ October 19, 2021/ Conference/ 0 comments

Ransomware is a piece of code that is written by an attacker to encrypt the victim’s files. Even though it has been around for many years, its popularity has increased since the outbreak of Wannacry which shook the whole cyber world.

When the logic of the ransomware code is observed we can see a common pattern here. It is similar to how humans interact with the system. I.e, to access the files, the code has to access the logical drive first. Here each logical drive is assigned a letter by the operating system. For example, when a code has to access the files in D drive, it has to access the drive ‘D’ first.

What if there is a logical drive in the system which doesn’t have any letter assigned to it?
Well, now it is harder to access the files, because the ransomware code is written to access the drive with the assigned letter. This is where most of the ransomwares fail to encrypt the data.

Guess what? The audience will witness what ransomware can not encrypt. Yes you heard it right! Can not! Could this be a solution for basic users to backup important files from being encrypted?
We will see what an attacker might do in the future when ransomware encounters this situation.

We asked Sreenidhi a few more questions about his talk.

Please tell us the top facts about your talk.

  • We get to look at ransomware from the attacker’s point of view
  • What all ransomwares have in common
  • We will look at what ransomwares cannot encrypt and why they can not.
  • A simple trick that works for everyone on windows to save the files from being encrypted.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I was fascinated with ransomwares and how they encrypt the files in the system. I was trying to crave the files from a ransomware infected system. During one such experiment, I gave the assigned letter as ‘A’ for some drive and ran a specific ransomware, and I was surprised to see that it did not encrypt it. That made me think, what if we remove that assigned letter and that’s where the initial spark came from! .

Why do you think this is an important topic?

It’s important to know what malware/ransomware can do and can not do. It would be like finding a bug in the malware!

Is there something you want everybody to know – some good advice for our readers maybe?

Always treat any malware like a normal program code written by some programmer (well, that’s what it is actually).  The malware will do what it is supposed to do, which is written by the attacker and nothing else.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

As I mentioned before, if there is something that a malware can not perform, then the attacker can add a function/code to it at any point of time. In this particular case an attacker can add a code to assign a letter to an unassigned drive.

 

Sreenidhi is a Security Researcher at Cisco. He has conducted cybersecurity and malware analysis workshops at universities across India and delivered talks at Cisco SecCon packet village, 2019 and at BSides Munich/ELBSides 2021.

He actively works on threat hunting, reverse engineering various malware samples and build honeypots to catch threats in the wild. His arsenal includes malware reversing and analysis skills, Metasploit skills, and he also has a strong interest in memory forensics.Sreenidhi has published blog posts related to interesting findings that he has come across in this domain:
1. https://umbrella.cisco.com/blog/inadequate-security-makes-wordpress-sites-a-land-of-opportunity-for-hackers
2. https://umbrella.cisco.com/blog/cyber-attackers-use-seo-to-spread-malware-through-torrent-files
3. https://umbrella.cisco.com/blog/obfuscation-the-abracadabra-of-malware-authors

Certifications: GREM, CEH, Cisco BlackBelt.

Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.