From 00fd09ac7763682985bcb9abac3024dd468f13e0 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 10:50:01 +0200 Subject: [PATCH 01/11] fix space --- workflow/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow/machinetag.json b/workflow/machinetag.json index 49dd42c..bc1c7ae 100644 --- a/workflow/machinetag.json +++ b/workflow/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "workflow", "expanded": "workflow to support analysis", - "description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information. ", + "description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.", "version": 8, "predicates": [ { From a39e0375efa2fedb6305a20de7000554460994ff Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 11:12:43 +0200 Subject: [PATCH 02/11] update readme --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2ac1bba..d685ab7 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ The following taxonomies can be used in MISP (as local or distributed tags) or i The following taxonomies are described: -- [Access-now](./accessnow) +- [access-method](./access-method) - [action-taken](./action-taken) - [Admiralty Scale](./admiralty-scale) - [adversary](./adversary) - description of an adversary infrastructure @@ -47,6 +47,7 @@ The following taxonomies are described: - [NATO Classification Marking](./nato) - [Open Threat Taxonomy v1.1 (SANS)](./open_threat) - [OSINT Open Source Intelligence - Classification](./osint) +- [Ransomware](./ransomware) - [runtime-packer](./runtime-packer) - Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other o bfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries. - [STIX-TTP](./stix-ttp) - Represents the behavior or modus operandi of cyber adversaries as normalized in STIX From 1a08f2c9b8a330f9ade996ef2c82d292a5bdcd71 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 11:13:21 +0200 Subject: [PATCH 03/11] add ransomware taxonomy WIP --- ransomware/machinetag.json | 58 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 ransomware/machinetag.json diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json new file mode 100644 index 0000000..83f18b1 --- /dev/null +++ b/ransomware/machinetag.json @@ -0,0 +1,58 @@ +{ + "namespace": "ransomware", + "expanded": "ransomware types and elements", + "description": "Ransomware is used to define ransomware types and the elements that compose them.", + "version": 1, + "predicates": [ + { + "value": "type", + "expanded": "Type", + "description": "Type is used to describe the type of a ransomware and how it works." + }, + { + "value": "element", + "expanded": "Element", + "description": "Elements that composed or are linked to a ransomware and its execution." + } + ], + "values": [ + { + "predicate": "type", + "entry": [ + { + "value": "scareware", + "expanded": "" + }, + { + "value": "locker", + "expanded": "" + }, + { + "value": "cryptolocker", + "expanded": "" + } + ], + }, + { + "predicate": "type", + "entry": [ + { + "value": "ransomnote", + "expanded": "" + }, + { + "value": "decoy", + "expanded": "" + }, + { + "value": "crypter", + "expanded": "" + }, + { + "value": "downloader", + "expanded": "" + } + ] + } + ] +} From 01894fd118ca991c706e563be14fe83683003bb3 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 11:26:29 +0200 Subject: [PATCH 04/11] ransomware taxonomy : decribe some types --- ransomware/machinetag.json | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 83f18b1..55f0b9c 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -3,6 +3,9 @@ "expanded": "ransomware types and elements", "description": "Ransomware is used to define ransomware types and the elements that compose them.", "version": 1, + "refs": [ + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf" + ], "predicates": [ { "value": "type", @@ -21,15 +24,15 @@ "entry": [ { "value": "scareware", - "expanded": "" + "expanded": "Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software." }, { - "value": "locker", - "expanded": "" + "value": "locker-ransomware", + "expanded": "Locker eansomware, also called computer locker, denies access to the computer or device " }, { - "value": "cryptolocker", - "expanded": "" + "value": "crypto-ransomware", + "expanded": "Crypto ransomware, also called data locker prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does." } ], }, From 17c65b3d1834f96020b32b5606c5201a4b35f9bc Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 12:06:07 +0200 Subject: [PATCH 05/11] ransomware taxonomy : decribe some elements --- ransomware/machinetag.json | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 55f0b9c..2971b07 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -41,19 +41,15 @@ "entry": [ { "value": "ransomnote", - "expanded": "" + "expanded": "A ransomnote is the message left by the attacker to threaten his victim and ask for ransom. It is usually seen as a text file or a picture set as background." }, { - "value": "decoy", - "expanded": "" - }, - { - "value": "crypter", - "expanded": "" + "value": "dropper", + "expanded": "A dropper is a means of getting malware into a machine while bypassing the security checks by carring the malware inside of itself." }, { "value": "downloader", - "expanded": "" + "expanded": "a downloader is a means of getting malware into a machine while bypassing the security checks, by downloading it instead of carring it." } ] } From e2e0414f4b3c49b3920e1e66d744c4b82184e6be Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 12:06:54 +0200 Subject: [PATCH 06/11] ransomware taxonomy : decribe some elements --- ransomware/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 2971b07..7153160 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -37,7 +37,7 @@ ], }, { - "predicate": "type", + "predicate": "element", "entry": [ { "value": "ransomnote", From b5026a101be17f4e44406a71d115ae78f05d3bae Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 12:10:27 +0200 Subject: [PATCH 07/11] ##COMMA## --- ransomware/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 7153160..e76406d 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -34,7 +34,7 @@ "value": "crypto-ransomware", "expanded": "Crypto ransomware, also called data locker prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does." } - ], + ] }, { "predicate": "element", From 97df10ab9eb22352fa6edd62e3e0947805138a35 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 16:16:03 +0200 Subject: [PATCH 08/11] add complexity level [WIP - DO NOT MERGE] --- ransomware/machinetag.json | 47 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index e76406d..fc2bb94 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -16,6 +16,11 @@ "value": "element", "expanded": "Element", "description": "Elements that composed or are linked to a ransomware and its execution." + }, + { + "value": "complexity-level", + "expanded": "Complexity level", + "description": "Level of complexity of the ransomware." } ], "values": [ @@ -52,6 +57,48 @@ "expanded": "a downloader is a means of getting malware into a machine while bypassing the security checks, by downloading it instead of carring it." } ] + }, + { + "predicate": "complexity-level", + "entry": [ + { + "value": "no-actual-encryption-fake-scareware", + "expanded": "No actual encryption (fake scareware). infection merely poses as a ransomware by displaying a ransom note while not actually encrypting user files" + }, + { + "value": "display-ransomnote-before-encrypting", + "expanded": "Displaying the ransom note before encryption process commences. As seen in the case of Nemucod, some ransomware will display a ransom note before file encryption. This is a serious operational flaw in the ransomware. The victim or their antivirus solution could effectively take prompt evasive action to prevent ransomware from commencing encryption." + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + + ] } ] } From c8e1b364f90a6d7bb608c07123e5f4b4897311b6 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 8 Apr 2019 16:35:58 +0200 Subject: [PATCH 09/11] ransomware taxonomy [WIP] --- ransomware/machinetag.json | 43 +++++++++++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index fc2bb94..e25156a 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -70,34 +70,61 @@ "expanded": "Displaying the ransom note before encryption process commences. As seen in the case of Nemucod, some ransomware will display a ransom note before file encryption. This is a serious operational flaw in the ransomware. The victim or their antivirus solution could effectively take prompt evasive action to prevent ransomware from commencing encryption." }, { - "value": "", + "value": "decryption-essentials-extracted-from-binary", + "expanded": "Decryption essentials can be reverse engineered from ransomware code or the user system. For example, if the ransomware uses a hard-coded key, then it becomes straight-forward for malware analysts to extract the key by disassembling the ransomware binary. " + }, + { + "value": "derived-encryption-key-predicted ", + "expanded": "Another possibility of reverse engineering the key is demonstrated in the case of the Linux.Encoder. Aransomware where a timestamp on the system was used to create keys for encryption resulting in easy decryption provided that the timestamp is still accessible." + }, + { + "value": "same-key used-for-each-infection", + "expanded": "Ransomware uses the same key for every victim. If the same key is used to encrypt all victims during a campaign, then one victim can share the secret key with others." + }, + { + "value": "encryption-circumvented", + "expanded": "decryption possible without key - Files can be decrypted without the need for a key due to poor choice or implementation of the encryption algorithm. Consider the case of desuCrypt that used an RC4 stream cipher for encryption. Using a stream cipher with key reuse is vulnerable to known plaintext attacks and known-ciphertext attacks due to the keyreuse vulnerability and hence this is a poor implementation of the encryption algorithm." + }, + { + "value": "file-restoration-possible-using-shadow-volume-copies", + "expanded": "Files can be restored using system backups, e.g. Shadow Volume Copies on the New Technology File System (NTFS), that were neglected by the ransomware." + }, + { + "value": "key-recovered-from-file-system-or-memory", "expanded": "" }, { - "value": "", + "value": "due-diligence-prevented-ransomware-from-acquiring-key", "expanded": "" }, { - "value": "", + "value": "click-and-run-decryptor-exists", "expanded": "" }, { - "value": "", + "value": "kill-switch-exists-outside-of-attacker-s-control", "expanded": "" }, { - "value": "", + "value": "decryption-key-recovered-from-a-C&C-server-or-network-communications", "expanded": "" }, { - "value": "", + "value": "custom-encryption-algorithm-used", "expanded": "" }, { - "value": "", + "value": "decryption-key-recovered-under-specialized-lab-setting", "expanded": "" }, - + { + "value": "small-subset-of-files-left-unencrypted", + "expanded": "" + }, + { + "value": "encryption-model-is-seemingly-flawless", + "expanded": "" + } ] } ] From 7095e737f5f846152e10e029d1e79163b5b50bd2 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 9 Apr 2019 11:41:24 +0200 Subject: [PATCH 10/11] ransomware taxonomy - complexity level --- ransomware/machinetag.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index e25156a..61d7a8d 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -91,39 +91,39 @@ }, { "value": "key-recovered-from-file-system-or-memory", - "expanded": "" + "expanded": "Decryption key can be retrieved from the host machine’s file structure or memory by an average user without the need for an expert. In the case of CryptoDefense, the ransomware did not securely delete keys from the host machine. The user can look in the right folder to discover the decryption key." }, { "value": "due-diligence-prevented-ransomware-from-acquiring-key", - "expanded": "" + "expanded": "User can prevent ransomware from acquiring the encryption key. Ransomware belongs in this category if its encryption procedure can be interrupted or blocked by due diligence on part of the user. For example, CryptoLocker discussed above cannot commence operation until it receives a key from the C&C server. A host or border firewall can block a list of known C&C servers hence rendering ransomware ineffective." }, { "value": "click-and-run-decryptor-exists", - "expanded": "" + "expanded": "Easy ‘Click-and-run’ solution such as a decryptor has been created by the security community such that a user can simply run the program to decrypt all files." }, { "value": "kill-switch-exists-outside-of-attacker-s-control", - "expanded": "" + "expanded": "There exists a kill switch outside of attacker’s control that renders the cryptoviral infection ineffective. For example, in the case of WannaCry, a global kill switch existed in the form of a domain name. The ransomware reached out to this domain before commencing encryption and if the domain existed, the ransomware aborted execution. This kill switch was outside the attacker’s control as anyone could register it and neutralize the ransomware outbreak." }, { "value": "decryption-key-recovered-from-a-C&C-server-or-network-communications", - "expanded": "" + "expanded": "Key can be retrieved from a central location such as a C&C server on a compromised host or gleaned with some difficulty from communication between ransomware on the host and the C&C server. For instance, in the case of CryptoLocker, authorities were able to seize a network of compromised hosts used to spread CryptoLocker and gain access to decryption essentials of around 500, 000 victims." }, { "value": "custom-encryption-algorithm-used", - "expanded": "" + "expanded": "Ransomware uses custom encryption techniques and violates the fundamental rule of cryptography: “do not roll your own crypto.” It is tempting to design a custom cipher that one cannot break themselves, however it will likely not withstand the scrutiny of professional cryptanalysts. Amateur custom cryptography in the ransomware implies there will likely soon be a solution to decrypt files without paying the ransom. An example of this is an early variant of the GPCoder ransomware that emerged in 2005 with weak custom encryption." }, { "value": "decryption-key-recovered-under-specialized-lab-setting", - "expanded": "" + "expanded": "Key can only be retrieved under rare, specialized laboratory settings. For example, in the case of WannaCry, a vulnerability in a cryptographic API on an unpatched Windows XP system allowed users to acquire from RAM the prime numbers used to compute private keys and hence retrieve the decryption key. However, the victim had to have been running a specific version of Windows XP and be fortunate enough that the related address space in memory has not been reallocated to another process. In another example, it is theoretically possible to reverse WannaCry encryption by exploiting a flaw in the pseudo-random-number-generator (PRNG) in an unpatched Windows XP system that reveals keys generated in the past. Naturally, these specialized conditions are not true for most victims." }, { "value": "small-subset-of-files-left-unencrypted", - "expanded": "" + "expanded": "A small subset of files left unencrypted by the ransomware for any number of reasons. Certain ransomware are known to only encrypt a file if its size exceeds a predetermined value. In addition, ransomware might decrypt a few files for free to prove decryption is possible. In such cases, a small number of victims may be lucky enough to only need these unencrypted files and can tolerate loss of the rest." }, { "value": "encryption-model-is-seemingly-flawless", - "expanded": "" + "expanded": "Encryption model is resistant to cryptographic attacks and has been implemented seemingly flawlessly such that there are no known vulnerabilities in its execution. Simply put, there is no proven way yet to decrypt the files without paying the ransom." } ] } From 68b3490d8b4a13e3ee60478c3859fc1f71828813 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 9 Apr 2019 14:25:49 +0200 Subject: [PATCH 11/11] ransomware taxonomy - purpose --- ransomware/machinetag.json | 46 +++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 61d7a8d..99a05e0 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -4,7 +4,9 @@ "description": "Ransomware is used to define ransomware types and the elements that compose them.", "version": 1, "refs": [ - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf" + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf", + "https://docs.apwg.org/ecrimeresearch/2018/5357083.pdf", + "https://bartblaze.blogspot.com/p/the-purpose-of-ransomware.html" ], "predicates": [ { @@ -21,6 +23,11 @@ "value": "complexity-level", "expanded": "Complexity level", "description": "Level of complexity of the ransomware." + }, + { + "value": "purpose", + "expanded": "Purpose", + "description": "Purpose of the ransomware." } ], "values": [ @@ -126,6 +133,43 @@ "expanded": "Encryption model is resistant to cryptographic attacks and has been implemented seemingly flawlessly such that there are no known vulnerabilities in its execution. Simply put, there is no proven way yet to decrypt the files without paying the ransom." } ] + }, + { + "predicate": "purpose", + "entry": [ + { + "value": "deployed-as-ransomware-extortion", + "expanded": "This has been the traditional approach - ransomware is installed on the victim's machine, and its only purpose is to create income for the cybercriminal(s). In fact, ransomware is simple extortion, but via digital means." + }, + { + "value": "deployed-to-showcase-skills-for-fun-or-for-testing-purposes", + "expanded": "Some cybercriminals like to show off, and as such create the side-business of ransomware, or, more particularly to showcase their coding skills.\nAnother example may be to send ransomware 'as a joke' or for fun to your friends, and giving them a bad time.\nSome cybercriminals may be testing the waters by deploying ransomware in an organisation, to stress-test the defenses, or to test their own programming skills, or the lack thereof." + }, + { + "value": "deployed-as-smokescreen", + "expanded": "A very interesting occurrence indeed: ransomware is installed to hide the real purpose of whatever the cybercriminal or attacker is doing. This may be data exfiltration, lateral movement, or anything else, in theory, everything is a possible scenario... except for the ransomware itself." + }, + { + "value": "deployed-to-cause-frustration", + "expanded": "Another possible angle that goes hand in hand with the classic extortion scheme - deploying ransomware with intent of frustrating the victim. Basically, cyber bullying. While there may be a request for a monetary amount, it is not the purpose." + }, + { + "value": "deployed-out-of-frustration", + "expanded": " Sometimes, an attacker may gain initial access to a server or other machine, but consequent attempts to, for example, exfiltrate data or attack other machine, is unsuccessful. This may be due to a number of things, but often due to the access being discovered, and quickly patched. On the other hand, it may have not been discovered yet, but the attacker is sitting with the same problem: the purpose is not fulfilled. Then, out of frustration, or to gain at least something out of the victim, the machine gets trashed with ransomware. Another possibility is a disgruntled employee, leaving ransomware as a 'present' before leaving the company." + }, + { + "value": "deployed-as-a-cover-up", + "expanded": " This may sound ambiguous at first, but imagine a scenario where a company may face sanctions, is already compromised, or has a running investigation. The company or organisation deploying ransomware itself, is a viable way of destroying data forever, and any evidence may be lost.\nAnother possibility is, in order to cover up a much larger compromise, ransomware is installed, and everything is formatted to hide what actually happened.\nAgain, there is also the possibility of a disgruntled employee, or even an intruder: which brings us back to 'deployed as a smokescreen'." + }, + { + "value": "deployed-as-a-penetration-test-or-user-awareness-training", + "expanded": "Ransomware is very effective in the sense that most people know what its purpose is, and the dangers it may cause. As such, it is an excellent tool that can be used for demonstration purposes, such as a user awareness training. Another possibility is an external pentest, with same purpose." + }, + { + "value": "deployed-as-a-means-of-disruption-destruction", + "expanded": " Last but not least - while ransomware can have several purposes, it can also serve a particularly nasty goal: destroy a company or organisation, or at least take them offline for several days, or even weeks.\nAgain, there are some possibilities, but this may be a rivalry company in a similar business, again a disgruntled employee, or to disrupt large organisations on a worldwide scale." + } + ] } ] }