Today marks the day of the first stable release of Capricorn. After brainstorming about it for a couple of weeks, I gave the program a complete overhaul in a three day programming streak. The lay-out of the application has changed quite drastically, which paved the way for multiple functions I wanted to implement a while ago. The new functions are underlined in the explanation below.
In the previous version, Capricorn recreated the honeypot folders and files every time it was started. Splitting the installation and the guarding functionality solved this problem. Uninstalling the program is fairly easy: remove the JAR and you’ve successfully removed Capricorn from your computer. Or did you? The honeypot folders are still there, filled with the honeypot files.
Upon creating a remove function, I had the basics down. Yet, there were still options I wish I had whilst testing the program. Scanning the honeypot folders based on a file extension, provided by the user, was helpful in determining the amount of encrypted files in the honeypots.
After a ransomware attack is prevented, the honeypots have lost some of the files. To renew the honeypots, I made a repair function, which uses the uninstall and install functionality to remove the files and fill the folders with new files.
For me, the locations of the honeypot folders are known, and they are visible in the source code as well. But for the average user, I created an option to view the location of these folders. Simply use the status parameter to view which folders are on the monitor list.
Creating the honeypot
The honeypots are filled with a lot of files. The amount of files differs per release of Capricorn, as it is a tenfold of the amount of extensions that are used during the set-up. Based on my own computer, I used a script to find all the extensions of the files that were on my drive. The script is a courtesy of Luc Gommans, who created it. I processed the result of the script to only include file extensions that were shorter than 6 characters (including the dot). This resulted in 559 unique extensions, which include all of the common file types.
To increase the chance that ransomware encrypts files in the honeypot, I used as much extensions as possible. Using my own computer as a source, I am certain I included the most common file types.
The files should, obviously, contain data. In the first version, the data was the same line of text in every file. It contained the name of the program and several words such as ‘test file’ and ‘do not remove’. Although ransomware often does not check if the file contains these words, there are versions that do. To prevent this, I used the top 500 words and top 100 verbs of the English language from this website. Although I have not checked if these words are factually the most common, they are rather common to say the least. Using these lists, I got a list of 538 words. The files in the honeypot are, individually, filled with a random amount, between 1 and 1000, from the list. The words are taken from the list at random. This makes it nearly impossible for ransomware to detect if the file is a test file or not based on the content.
In the coming time, I will use other samples than the SageCrypt sample (more information below) to test what the results are. Using the latest version, I averaged down to 70 encrypted honeypot files, significantly lower than in the older version.
In another blog, I will write a tutorial on how to use Capricorn on both Windows and Linux. Capricorn does not support Mac OS X for a reason: one needs administrative permissions to shut the machine down. I might look at this later, but I will not prioritise this.
To use the version without too much of an explanation on Windows: run the JAR with ‘java –jar /path/to/the/JAR on any user account (administrator or not). The help menu of the application should provide the needed information. To instantly use the application first use the parameter “-install”. After the installation is finished, use “-guard” to monitor the system. After that, you’re protected by Capricorn.
Linux requires two additional steps before the previously given instructions should be executed. The user has to make the folder /A using sudo mkdir /A. After that, the permissions need to be set using sudo chmod 777 /A. Capricorn should NOT be run as root unless the whole system uses root (such as Kali Linux). Doing so will cause the program to malfunction.
The source code will be published in the coming days on this repository on my GitHub account. The Capricorn main page on the website will be renewed with the current information and will include the tutorial.
File information regarding SageCrypt
File: Sage Crypt.pdf.exe
File size: 370 KB (379.136 bytes)
MD5 checksum: 7C02EC22D4D847F0AB43F114BE43F069
SHA1 checksum: E6FB9BF2E56AE44FADD1E739BE771090F2FBE372