Ransomware is a type of
malware that is installed covertly on a computer,
without the knowledge of the user, then restricts access
to the infected computer system and requires the user to
pay a ransom to the malware operators, to eliminate the
restriction.
The ransomware attack
consists in systematically encrypting files on the hard
drive of the system, which become inaccessible, if the
ransom is not paid.
Other attacks can simply block
system messages and display a message to convince the user to
pay.
The ransomware usually spreads
like a trojan, whose payload is disguised as an apparently
legitimate file, for example, as a downloaded file or exploiting
a software vulnerability.
The ransomware tries to
read and then encrypt the files, creating an identifier for
each file with which it interacts. No matter what encryption
algorithm you use, this is a lower level concept, depending
on how the Windows kernel interacts with the system
hardware. If
we are able to monitor the frequency of new identifiers that
are created by each process, it is possible to detect the
abnormal activity produced by the ransomware. This would also apply to
destructive malware that has been designed to overwrite a
large number of files to prevent its
recovery.
Taking into account that an
object is a data structure that represents a system
resource, such as a file. An application can not
directly access the data of an object or a system resource
that represents an object. Instead, an application
must obtain an object identifier, which can be used to
examine or modify system resources. Each identifier has an
entry in an internally maintained table. These entries contain the
addresses of the resources and the means to identify the
type of resource. This is one of several
layers of abstraction that separate the user (and all
processes that are running), from physical assets, such as
the hard drive. Any request to access a
file on the disk,
Based on this
identification pattern, the tool for Windows, called handle_monitor,
is designed, which takes stock of each file identifier, per process
throughout the system. It then takes a short break (at the user's
discretion) and checks again for new identifiers that have not been
seen before and calculates the number of new identifiers created. If
the threshold passes a defined number of cycles, then an alert is
generated and an action is taken (such as suspending the suspicious
process).
Sequence of
operation:
- Generates an index of all files and takes care of all running processes.
- Pauses (/pause=X) for amount of time.
- Monitors indexes, to keep a count.
- After the defined cycles (/cycles=X), it performs an analysis.
- In the analysis, it checks whether all processes have exceeded the threshold (/threshold=X) for repeating the identification.
- If so, it is good to generate an alert for the process (/suspend).
By default, it only
looks for unsigned executables (to reduce noise), but you can
include signed ones with "/signed".
How to use
handle_monitor:
handle_monitor.exe
Optional
parameters:
/cycles=X, number of
monitoring cycles (default: 10)
/threshold=X, set
suspicion threshold for number of new identifiers (default:
10).
/pause=X, set pause
in milliseconds between cycles (default: 1000).
/signed, include
signed executables in the review process.
/suspend, suspend
processes that are considered suspicious.
/verbose, display
detailed messages.
More information and
download handle_monitor:
https://github.com/adamkramer/handle_monitor