In the week of May the 8th 2017 , the Wannacry ransomware-worm had a wild outbreak, including media coverage all around the globe. A couple of weeks before this event, I developed the idea to create a program which controls the damage as much as possible after an infection. The idea is simple yet effective for all types of users, regardless if you use Capricorn on a server or personal computer: if ransomware is detected, the computer is shut down.
After researching ransomware via leaked source codes, I came to the conclusion that hooking the kernel’s functions for file operations would be the best option to detect ransomware, but also the hardest. Since I’ve got little to no experience in C nor in hooking, I decided to use Java instead.
Yet, this was not the only reason why I chose Java. The most ransomware nowadays is written for the Windows-platform, but ransomware on Linux is mostly uncharted territory. Using Java, I could create a program that’d work on both Windows and Linux distributions and would not require administrator/root privilege. Even though hooking is possible on every OS, the code to do so is different for each OS. The limited privilege required during runtime is an advantage for the user, because it can be executed and used without administrator access on a computer, whilst it increases the chances of successfully stopping the ransomware before any/all of your files are encrypted.
Capricorn’s working and rules
The inner workings of Capricorn are fairly simple: if a file is created, modified or deleted in one of the honeypot directories, the system will come to a grinding halt. Regardless of what is open on the computer, the shutdown will commence. The chance that a couple of files can get corrupted does not outweigh the time the ransomware will get to encrypt more files.
The honeypot folders are located a multiple locations with the name ‘A’, so they are in the top of the directory. The first rule for a user is to never touch this folder or anything in it.
The second, and last, rule is only necessary if Capricorn triggers its shutdown mechanism. Sometimes, the ransomware places itself in the boot order of the computer and will continue to encrypt files when the system is started again. To prevent this, a user should boot with a live CD/USB and back-up any file that is of importance before the system is booted. If the user does not have enough knowledge to do this, a repair shop in the village, a friend or a family member should be called who can complete the process.
A complete tutorial on how to use Capricorn can be found here.
Honeypotting
The honeypots that are on the system are filled with a couple of thousand of files with different extensions, to raise the chances of ransomware encrypting some the files based on their extensions. Since the ransomware encrypts the root of a folder before moving into sub-folders, the files in the sub folder might be at risk, even though the directories are quite often encrypted from bottom to top, making Capricorn even more effective.
Testing Capricorn 1.0 (stable release) successfully blocked the following samples:
Jigsaw
MD5: 2773e3dc59472296cb0024ba7715a64e
SHA1: 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256: 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
ssdeep: 6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
VT: https://www.virustotal.com/en/file/3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7/analysis/
SAGE2
MD5: 4f9877cf03bddb5ca21e1436349d7e1e
SHA1: 8de9746282db0788df7fe6e5d35c0cf0671b47c7
SHA256: 65258bc65d114e5736d34b7a23bbd563fe4cec888ecc80259d072ed7aa37cfb2
ssdeep: 6144:JCCJZXwNx3AbsHLEALsM5eGsk8TdwZbIYa94g5/KcDE9iId4h0:JCouHwwf5eFxTdwZbIJ94QkAIG0
VT: https://www.virustotal.com/en/file/65258bc65d114e5736d34b7a23bbd563fe4cec888ecc80259d072ed7aa37cfb2/analysis/
SageCrypt
MD5: 7c02ec22d4d847f0ab43f114be43f069
SHA1: e6fb9bf2e56ae44fadd1e739be771090f2fbe372
SHA256: 7014a509880275960ddaed2cd97bef33de24cd63146232454e77b6a95d5bae26
ssdeep: 6144:57OgrFXMWkC9TPP1vldtHWXazMJGEDWV3E7eXVajh4Sw3BfODaH:57Og5XMWNpldtqazMIESV3rXV39OD
VT: https://www.virustotal.com/en/file/7014a509880275960ddaed2cd97bef33de24cd63146232454e77b6a95d5bae26/analysis/
TeslaCrypt
MD5: 209a288c68207d57e0ce6e60ebf60729
SHA1: e654d39cd13414b5151e8cf0d8f5b166dddd45cb
SHA256: 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
ssdeep: 3072:rYXT8PUsMNL8V4tD2My/JAAbQoM29wlV58lbNnolY7VgsYiVTPtiTu/q:rowUsML8g2j0o9wb0bNoaKsYImui
VT: https://www.virustotal.com/en/file/3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370/analysis/
Vipasana
MD5: 2aea3b217e6a3d08ef684594192cafc8
SHA1: 3a0b855dd052b2cdc6453f6cbdb858c7b55762b0
SHA256: 0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab
ssdeep: 6144:oRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYlG8+rNfNQFoQGt485VY:uDRbXFHW1+K2UWBGIymY/+rheFOv
VT: https://www.virustotal.com/en/file/0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab/analysis/
WannaCry
MD5: 2b4e8612d9f8cdcf520a8b2e42779ffa
SHA1: ae7113dd9a65a7be186d1982b02e16decda7eb80
SHA256: d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127
ssdeep: 98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3R:QqPe1Cxcxk3ZAEUadzR8yc4gB
VT: https://www.virustotal.com/en/file/d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127/analysis/
Win32Dircrypt
MD5: 04eacd2031de21c56ccec496e1b5ed68
SHA1: 11fb52c96853e12f011b7b7894e9884e56eb5522
SHA256: e908284c087983e3b9f3a3b828f1a3812bfe0e77694b9ef943c0e5c90eb747bb
ssdeep: 6144:H8CL0LckC2bYXES5c+rvM10d+dDJPDCWpKrSgBoreMDLu2zbgVn9Sr/WIInBt5op:cA0LK/5c3aqPiTebDLuibinIrwBtTE
VT: https://www.virustotal.com/en/file/e908284c087983e3b9f3a3b828f1a3812bfe0e77694b9ef943c0e5c90eb747bb/analysis/
ZeroLocker
MD5: bd0a3c308a6d3372817a474b7c653097
SHA1: 5ed36132872be3d5d94627b89f15a7369f68fba1
SHA256: d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa
ssdeep: 6144:tYcn3ge+gqzsSALff2TRLz1lTl8TFPUW+8sSZJMidVmXmVcXHU:ttQe+PzsfX2Tpz1daaWnVIgcE
VT: https://www.virustotal.com/en/file/d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa
Release
The source code and compiled JAR can be found on my Github account. Any questions or suggestions can always be e-mailed to [info][at][maxkersten][dot][nl].