Avoiding a ransomware outbreak with Capricorn

For those who missed my initial blogpost about Capricorn, I’ll give a short recap about the program its functionalities. Capricorn creates folders and files on the computer. These files are monitored and a change to any of the files will trigger Capricorn to commence shutdown, regardless of the open files on the computer. These folders are called honeypot folders, because the ransomware is likely to encrypt files in these folders.

After the computer is shut down, the user should use a live boot, such as a Linux distribution, to back-up important files. When the computer is properly booted again, there is a log on the desktop which contains the location of the files in the honeypot folders which have been encrypted and a timestamp of the happening. Afterwards, one can use the “-scan” option to scan for encrypted files in the honeypot folders. The honeypot concept worked great during the development of the first stable version, but how would it perform when I used malware samples that have been used in the wild?

Testing Capricorn with actual malware
Upon testing the first stable release of Capricorn with malware samples that have been spotted in the wild, I wanted to test how effective this approach would be. The hashes of the tested samples are shared in the last part of this blog.

None of the malware samples that I tested were able to encrypt anything outside the honeypot folders. From previous testing, the amount of encrypted files in the honeypots using the same sample can differ a couple of hundred files each time the sample is executed.
The single exception to this is WannaCry, which didn’t start browsing down the user’s home directory into the Documents, Downloads and similar folders. WannaCry was started from the Desktop folder on the test machine. Yet, it only managed two encrypt two files outside the honeypot folders. Needless to say, this is significantly less than without the usage of Capricorn. The explanation for this is rather simple, as WannaCry also encrypts files in the folder it was started from.

The test environment
In the laboratory, I tested the ransomware samples on an unpatched Windows 10 system. Windows Defender was completely disabled during the testing and the internet adapter of the virtual machine was not connected nor plugged in to prevent a sample from spreading.
On this system, I placed multiple files filled with the text ‘MY GRADES ARE GETTING WORSE AND WORSE. WHAT DO I DO?’. The text is bold, cursive and underlined because this causes the rich text file (RTF) to contain more than just the text. Using the same text in the emulated user files, I avoided any ‘lorum ipsum’ checks that the ransomware might do but also made it easy for me to see if anything changed in a file without having to dig deep into the possible changes.

Reproducibility
The execution and aftermath of every sample I executed, has been recorded and can be viewed here. The set-up and the settings of the VM, the sample itself are known, so anyone can reproduce the results as they are shown in the videos. If you’ve got additional samples you want to test, feel free to do so, I’d love to see the results of them.

Impact on the user
After the ransomware executed, got detected and the system was shut down, I booted the virtual machine. In the log, which is located in the desktop folder, one can view the changes that were detected, together with a time and date stamp. After checking the log, I ran the “-scan” option of Capricorn with the encrypted extension to detect the amount of encrypted files in the honeypots. In some videos the scanning is done within seconds, even though there are >40,000 files in the folders. This is because of caching: it wasn’t the first time I executed the search function in a previous take of the recording but made a mistake somewhere else in the video.

In conclusion, the impact on the user is minimal. Generally, no files were lost besides the two files that were encrypted by WannaCry. Using the “-repair” function after the system booted, the user could’ve proceeded with their day to day tasks. Servers filled with files of users would’ve rebooted and would be safe again. Although it is hard to say, a global ransomware outbreak of these tested samples would’ve been prevented using Capricorn.
This does not mean that a future version is not able to encrypt user files. Additionally, I tested the Petya ransomware (not the one used in global outbreak called NotPetya, but the older version) as well and there was no success in blocking this attack. The approach of Petya is completely different and does not encrypt anything in the honeypot folders, as it rewrites the master boot record (MBR) and then causes the machine to blue screen, which forces a reboot.

Future development
Currently, I’m investigating how to speed up the shutdown process. One idea I have, is to force a Blue Screen of Death (BSoD) to instantly shut the computer down. Another improvement I have, would be to add headers to the honeypot files. This would make it even harder for ransomware to distinguish the difference between my honeypot files and actual files on the user’s computer.

Community feedback
If you’ve got feedback, suggestions, samples or anything related to this subject to share with me, feel free to e-mail me at [info][at][maxkersten][dot][nl]. Additional videos of users who test samples and record it will be mirrored on my Youtube channel after I verified the test.

Samples
Jigsaw
MD5: 2773e3dc59472296cb0024ba7715a64e
SHA1: 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256: 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
ssdeep: 6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
VT: https://www.virustotal.com/en/file/3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7/analysis/

SAGE2
MD5: 4f9877cf03bddb5ca21e1436349d7e1e
SHA1: 8de9746282db0788df7fe6e5d35c0cf0671b47c7
SHA256: 65258bc65d114e5736d34b7a23bbd563fe4cec888ecc80259d072ed7aa37cfb2
ssdeep: 6144:JCCJZXwNx3AbsHLEALsM5eGsk8TdwZbIYa94g5/KcDE9iId4h0:JCouHwwf5eFxTdwZbIJ94QkAIG0
VT: https://www.virustotal.com/en/file/65258bc65d114e5736d34b7a23bbd563fe4cec888ecc80259d072ed7aa37cfb2/analysis/

SageCrypt
MD5: 7c02ec22d4d847f0ab43f114be43f069
SHA1: e6fb9bf2e56ae44fadd1e739be771090f2fbe372
SHA256: 7014a509880275960ddaed2cd97bef33de24cd63146232454e77b6a95d5bae26
ssdeep: 6144:57OgrFXMWkC9TPP1vldtHWXazMJGEDWV3E7eXVajh4Sw3BfODaH:57Og5XMWNpldtqazMIESV3rXV39OD
VT: https://www.virustotal.com/en/file/7014a509880275960ddaed2cd97bef33de24cd63146232454e77b6a95d5bae26/analysis/

TeslaCrypt
MD5: 209a288c68207d57e0ce6e60ebf60729
SHA1: e654d39cd13414b5151e8cf0d8f5b166dddd45cb
SHA256: 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
ssdeep: 3072:rYXT8PUsMNL8V4tD2My/JAAbQoM29wlV58lbNnolY7VgsYiVTPtiTu/q:rowUsML8g2j0o9wb0bNoaKsYImui
VT: https://www.virustotal.com/en/file/3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370/analysis/

Vipasana
MD5: 2aea3b217e6a3d08ef684594192cafc8
SHA1: 3a0b855dd052b2cdc6453f6cbdb858c7b55762b0
SHA256: 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab
ssdeep: 6144:oRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYlG8+rNfNQFoQGt485VY:uDRbXFHW1+K2UWBGIymY/+rheFOv
VT: https://www.virustotal.com/en/file/0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab/analysis/

WannaCry
MD5: 2b4e8612d9f8cdcf520a8b2e42779ffa
SHA1: ae7113dd9a65a7be186d1982b02e16decda7eb80
SHA256: d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127
ssdeep: 98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3R:QqPe1Cxcxk3ZAEUadzR8yc4gB
VT: https://www.virustotal.com/en/file/d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127/analysis/

Win32Dircrypt
MD5: 04eacd2031de21c56ccec496e1b5ed68
SHA1: 11fb52c96853e12f011b7b7894e9884e56eb5522
SHA256: e908284c087983e3b9f3a3b828f1a3812bfe0e77694b9ef943c0e5c90eb747bb
ssdeep: 6144:H8CL0LckC2bYXES5c+rvM10d+dDJPDCWpKrSgBoreMDLu2zbgVn9Sr/WIInBt5op:cA0LK/5c3aqPiTebDLuibinIrwBtTE
VT: https://www.virustotal.com/en/file/e908284c087983e3b9f3a3b828f1a3812bfe0e77694b9ef943c0e5c90eb747bb/analysis/

ZeroLocker
MD5: bd0a3c308a6d3372817a474b7c653097
SHA1: 5ed36132872be3d5d94627b89f15a7369f68fba1
SHA256: d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa
ssdeep: 6144:tYcn3ge+gqzsSALff2TRLz1lTl8TFPUW+8sSZJMidVmXmVcXHU:ttQe+PzsfX2Tpz1daaWnVIgcE
VT: https://www.virustotal.com/en/file/d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa/analysis/