How does the AntiRansomware module works in detail (my own reverse engineering)

Reply
L3 Networker

How does the AntiRansomware module works in detail (my own reverse engineering)

 

Traps simulates in the first default Anti Ransomware Rule for all processes in certain directories Honeypotfiles with typical Ransomware filenames.

It looks something like this, the samething for ZZZ:

 

PS C:\Users\xxx\Desktop> Get-ChildItem !!!*

 

 

    Verzeichnis: C:\Users\xxx\Desktop

 

 

Mode                LastWriteTime         Length Name

----                -------------         ------ ----

d-----       18.01.2018     13:31                !!!!!1807308317

d-----       18.01.2018     13:31                !!!!!1735784583

------       25.12.2017     12:46           2024 !!!!!2126159552.doc

------       13.12.2017     11:38           9999 !!!!!1682639546.jpg

------       06.01.2018     13:00          25000 !!!!!2578223030.bmp

------       06.01.2018     12:58          50238 !!!!!3415963366.docx

------       13.12.2017     12:26         150000 !!!!!2214314931.xlsx

------       06.01.2018     12:14         200000 !!!!!3655313582.ppt

------       25.12.2017     11:50         249998 !!!!!2017929762.pptx

------       13.12.2017     12:07         300000 !!!!!2632939134.avi

------       13.12.2017     13:04         350000 !!!!!1981152561.pst

------       25.12.2017     12:46           2024 !!!!!292343125.doc

------       13.12.2017     11:38           9999 !!!!!2783536067.jpg

------       06.01.2018     13:00          25000 !!!!!2413104011.bmp

------       06.01.2018     12:58          50238 !!!!!2389705127.docx

------       13.12.2017     12:26         150000 !!!!!1076796588.xlsx

------       06.01.2018     12:14         200000 !!!!!2824405210.ppt

------       25.12.2017     11:50         249998 !!!!!2083205403.pptx

------       13.12.2017     12:07         300000 !!!!!2294358113.avi

------       13.12.2017     13:04         350000 !!!!!2523101513.pst

 

 

 

With the cmd and the command dir, I don't see the files. Python sees, like the Powershell process, also the files «Python command (print(os.listdir('C:\\Users\\xxx\\Desktop\\')))»

 

So I made an exclusion for the powershell. exe process, in which I deactivated the AntiRansomware module. After that the files are no longer visible with the command Get-ChildItem!!! *, but the python. exe process still sees the files. Means that the files are not actually present. These are really files simulated by traps for all processes. After the first default rule, this rule applies to all processes. After that, however, there are some compatibility rules where PaloAlto excludes the anti-ransom virus protection for certain processes. PaloALto has even more possibilities than us via GUI, they also have exclusions about the directories to be monitored.

 

Now we know which files are being monitored, but not which actions. I understood this with powersehll. exe and python and came to this result:

The following actions are monitored by traps (shown an alert):

 

However, Traps does not recognize when a process recreates a file with exactly the same file name as one of these simulated files. Powershell. exe which sees these simulated files says about it:

    New-Item c:\Users\xxx\Desktop\!!!!!2126159552.doc -ItemType file

    New-Item : Die Datei "C:\Users\xxx\Desktop\!!!!!2126159552.doc" already exists

Cmd. exe which does not see the files means:

    C:\Users\xxx\Desktop>echo some-text  > !!!!!2126159552.doc

    Access denied

 

 

Either way, no traps alert is generated. Also there is no alert if the filename is appended with another character instead of !!!!!!! 2523101513. pst,!!!!!! 2523101515139. pst. This means that it only monitors these simulated files. A new Ransomware that writes other file names, even if they start with five exclamation marks or ZZZZ, will not give an alert.

 

Therefore, I interpret the default rule parameter Ransom. HoneypotNamePatterns=ZZZZZ;!!!!! So that this is the fixed part of the filename of these simulated files, the numbers i think are random.

 

 

What possibilities do we have for exclusion?

 

Unfortunately, via Gui we have no possibility to make other exclusions than to exclude a corresponding process. I hope, however, that in the future we will be able to include the directories to be monitored in/exists and the files and file patterns to be simulated.

 

I hope this could help a little bit

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!