In the week of May the 8th 2017 , the Wannacry ransomware-worm had a wild outbreak, including media coverage all around the globe. A couple of weeks before this event, I developed the idea to create a program which controls the damage as much as possible after an infection. The idea is simple yet effective for all types of users, regardless if you use Capricorn on a server or personal computer: if ransomware is detected, the computer is shut down.
After researching ransomware via leaked source codes, I came to the conclusion that hooking the kernel’s functions for file operations would be the best option to detect ransomware, but also the hardest. Since I’ve got little to no experience in C nor in hooking, I decided to use Java instead.
Yet, this was not the only reason why I chose Java. The most ransomware nowadays is written for the Windows-platform, but ransomware on Linux is mostly uncharted territory. Using Java, I could create a program that’d work on both Windows and Linux distributions and would not require administrator/root privilege. Even though hooking is possible on every OS, the code to do so is different for each OS. The limited privilege required during runtime is an advantage for the user, because it can be executed and used without administrator access on a computer, whilst it increases the chances of successfully stopping the ransomware before any/all of your files are encrypted.
Capricorn’s working and rules
The inner workings of Capricorn are fairly simple: if a file is created, modified or deleted in one of the honeypot directories, the system will come to a grinding halt. Regardless of what is open on the computer, the shutdown will commence. The chance that a couple of files can get corrupted does not outweigh the time the ransomware will get to encrypt more files.
The honeypot folders are located a multiple locations with the name ‘A’, so they are in the top of the directory. The first rule for a user is to never touch this folder or anything in it.
The second, and last, rule is only necessary if Capricorn triggers its shutdown mechanism. Sometimes, the ransomware places itself in the boot order of the computer and will continue to encrypt files when the system is started again. To prevent this, a user should boot with a live CD/USB and back-up any file that is of importance before the system is booted. If the user does not have enough knowledge to do this, a repair shop in the village, a friend or a family member should be called who can complete the process.
A complete tutorial on how to use Capricorn can be found here.
The honeypots that are on the system are filled with a couple of thousand of files with different extensions, to raise the chances of ransomware encrypting some the files based on their extensions. Since the ransomware encrypts the root of a folder before moving into sub-folders, the files in the sub folder might be at risk, even though the directories are quite often encrypted from bottom to top, making Capricorn even more effective.
Testing Capricorn 1.0 (stable release) successfully blocked the following samples:
The source code and compiled JAR can be found on my Github account. Any questions or suggestions can always be e-mailed to [info][at][maxkersten][dot][nl].