Sensitive File encryption

ID

sensitive_file_encryption

Severity

critical

Resource

Sensitive Data

Tags

ransomware

Description

This detector checks for code that enumerates and then encrypts files that are considered sensitive.

Rationale

In order to prevent access to system and network resources, adversaries may encrypt data on target systems or on a sizable number of systems inside a network. By encrypting files or data on local and remote drives and preventing access to a decryption key, they can try to make stored material unreadable. This could be done to make data permanently unreadable in situations where the key is not preserved or communicated, or it could be done to demand money from a victim in exchange for decryption or a decryption key (ransomware).

Both sensitive SO files and common user files like Office documents, PDFs, pictures, videos, music, text, and source code files are frequently encrypted (and frequently renamed and/or marked with certain file identifiers) when hit by ransomware. To unlock and/or get access to change these files, adversaries may need to first use other actions, such as System Shutdown/Reboot or File and Directory Permissions Modification. Adversaries may occasionally encrypt the MBR, disk partitions, and important system files.

Related Malware campaigns

These are the biggest ransomware attacks that area related to this technique:

  • WannaCry is the biggest ransomware attack in history. It affected hundreds of thousands of computer systems worldwide.

  • NotPetya is a Petya variant (just as GoldenEye), that resulted in a worldwide ransomware infection on June 27th, 2017. Affected computers primarily in Ukraine and Russia.

  • SamSam ransomware was a cyberattack on January 6th, 2016. It affected many hospitals, businesses, and government agencies in the United States.

  • CryptoLocker is one of the famous ransomware attacks that happened on September 5th, 2013, and affected computers worldwide.

  • Bad Rabbit was a drive-by ransomware attack that took place on October 24th, 2017. This attack vector was a malicious dropper masqueraded as a fake Adobe Flash installation or update. Once the dropper was executed, it would encrypt the user’s files and demand a ransom of .05 BTC for decrypting the files.

Configuration

The detector has the following configurable parameters:

  • file_patterns, that indicates file patterns used by the detector to match the sensitive files.

  • sources, that indicates the source kinds to check. Available values are:

    • sensitive_file

  • sinks, that indicates the sink to check. Available values are:

    • sensitive_data

  • neutralizations, that indicates the neutralization kinds to check. By default, this is empty. No neutralizers are considered for potential malicious code.

References