In the past few years, ransomware attacks became mainstream. Ransomware is often used to attack enterprise systems and individuals, causing great harm to the victims by encrypting large amount of valuable data.
Recently, ransomware attacks have grown in sophistication and diversity by using advanced techniques, making it difficult to recognize and analyze them. In particular, automated analysis of ransomware samples in sandboxes became difficult due to various sandbox evasion techniques.
Contemporary ransomware samples employ strong cryptography, including public key crypto, and other self-protection mechanisms in order to evade successful recovery of encrypted data by reverse engineering of their binaries. This is to avoid detection and to increase the attackers' chances of getting ransom payments from victims. In many cases, it's practically infeasible to restore contents of the encoded files; hence it is essential to have a deep insight into the internal workings of these samples. Detailed technical information about their behavior and the understanding of their operation can help to improve prevention methods and detection signatures, and therefore, to mitigate the risks by effectively protecting ourselves from these threats.
Although valuable information and several analysis reports on this topic can be found in public sources, a problem is that most of these reports are far from a comprehensive description: they often detail only a specific portion of the big picture leaving many open questions, or discuss the overall functioning by presenting a higher level overview, which is difficult to reproduce directly.
In this presentation, I will discuss self-protection mechanisms applied in the Locky ransomware, in particular, the inspection of its unpacking method, and attempt to give a more comprehensive technical overview of the sample's anti-analysis techniques also based on collected information and our analysis results. The anti-analysis methods used in Locky show that the authors of the ransomware invested significant effort to hide the internal operation of the ransomware and to make difficult the static analysis of these samples. One such trick is the use of Nullsoft installer package as an obfuscation technique, or the direct invocation of system calls instead of Ntdll functions. Beyond obfuscation, multiple layers of encryption, runtime import address table construction, DLL injection and other features serve to harden the analysis.
In my presentation I will also outline the most striking differences between Locky and a Hungarian ransomware that is imitating it: Hucky.