Last week, the Wannacry ransomware had a wild outbreak and ransomware has been a hot topic in the news ever since. A couple of weeks ago, I developed the idea to create a program which monitors your filesystem and controls the damage as much as possible after an infection. The idea is simple yet effective for all types of users, regardless if you use Capricorn on a server or personal computer.
After researching ransomware via leaked source codes, I came to the conclusion that hooking the kernel’s functions for file operations would be the best option, but also the hardest. Since I’ve got little to no experience in C nor in hooking, I decided to use Java instead. Yet, this was not the only reason why I chose Java. The most ransomware nowadays is written for the Windows-platform, but ransomware on Linux is mostly unchartered territory. Using Java, I could create a program that’d work on both Windows and Linux distributions and would not require administrator/root privilege. This is an advantage for the user, because it can be executed and used without administrator access on a computer, whilst it increases the chances of successfully stopping the ransomware before any/all of your files are encrypted.
Capricorn’s working and rules
The inner workings of Capricorn are fairly simple: if a file is created, modified or deleted in one of the honeypot directories, the system will come to a grinding halt. Regardless of what is open on the computer, the shutdown will commence. The chance that a couple of files can get corrupted does not outweigh the time the ransomware will get to encrypt more files.
The honeypot folders are located a multiple locations with the name ‘A’, so they are in the top of the directory. The first rule for a user is to never touch this folder or anything in it.
The second, and last, rule is only necessary if Capricorn triggers its shutdown mechanism. Sometimes, the ransomware places itself in the boot order of the computer and will continue to encrypt files when the system is started again. To prevent this, a user should boot with a live CD/USB and back-up any file that is of importance before the system is booted. If the user does not have enough knowledge to do this, a repair shop in the village, a friend or a family member should be called who can complete the process.
Initial development problems
Using Java’s build-in filesystem watcher, there is no problem continuous looping, on Windows that is. On Linux distributions, the system API doesn’t push any notifications, whereas Windows’ system API does. This resulting in using 90% CPU by default in my Ubuntu VM, which is anything but helpful for the user. Letting the application sleep for 50 milliseconds before polling the system API again reduced the CPU usage back to less than 1%, something that is not a problem to continuously run. Currently, Capricorn only uses 0.3% in the Ubuntu test VM. The first few minutes after the program is started, the CPU usage will decrease, until it becomes stable.
More efficiency problems
Using SageCrypt ransomware (see the file information at the bottom of this post) in a VM with Windows 10, the amount of honeypot files that got encrypted in the first try was a rough 3500 files. In tests after that, the efficiency was increased and the amount of encrypted test files decreased to a rough 400. A check to see if the used OS is Windows, reduced this number even lower: only 122 honeypot files got decrypted. In every test, the buffer of 5000 honeypot files was enough to save all the files placed in the user folders, which would’ve normally been encrypted.
The honeypot files are currently 120 bytes. Increasing this size will decrease the amount of encrypted honeypot files, resulting in an even lower number. This will be tested in future beta versions.
The release of Capricorn, as for any program I release, has no release date and will be open-source. Anyone can contribute to the program or compile his/her own version. Any questions or suggestions can always be e-mailed to info[at]maxkersten[dot]nl.
File information regarding SageCrypt
File: Sage Crypt.pdf.exe
File size: 370 KB (379.136 bytes)
MD5 checksum: 7C02EC22D4D847F0AB43F114BE43F069
SHA1 checksum: E6FB9BF2E56AE44FADD1E739BE771090F2FBE372