Solutions to Detect Ransomware Attacks Can Often Be Very Trivial

A tool released today has network defenders excited about the idea of detecting and preventing ransomware attacks with the help of fake processes and process canaries, showing that solutions to detect and block ransomware attacks don't necessarily have to be over-complicated and expensive.

Named Killed Process Canary, the tool works by creating a group of empty Windows services on a Windows computer that is likely to be targeted during a ransomware attack.

The core principle behind the tool revolves around the idea that during an ongoing attack, a ransomware operator needs to stop a Windows service on a computer they target before they can encrypt its data without errors.

Most of these service shutdown commands usually take place after the ransomware operator runs a "net stop" command on the attacked system.

According to Ollie Whitehouse, Group CTO at the NCC Group and the author of Killed Process Canary, his tool works by allowing system administrators to deploy a number of empty Windows services that keep track of each other.

If any of these fake processes are shut down via a net stop or other similar commands, the other processes fire a DNS request to the Canary Token service to notify the administrator of an ongoing attack and then put the targeted system into a Windows "hibernate" state.

This last step is especially crucial, as the Windows hibernate state saves a copy of the OS memory, which would allow the system administrator to search and recover for a potential ransomware encryption key, which could later aid in decrypting other systems on the same network that have been impacted.

Whitehouse said he designed the tool with attacks from the Ryuk ransomware gang in mind, but it can also be modified for other ransomware operators as well.

Previous attempts to create anti-ransomware tooling

The tool's release today has been widely welcomed by the infosec industry, and Whitehouse has received praises for his work.

Over the past few years, many cybersecurity professionals have often created offensive tools for red team exercises or research purposes. While some tools have remained private, many have been open-sourced and released online, only to be integrated into the arsenals of cybercrime and nation-state groups.

Whitehouse's tool, which he open-sourced on GitHub, is a rare exception to this trend.

We don't need yet another C2 framework – we need more tools like this one

Outsmart the bullies https://t.co/9OBxDz6oj8

— Florian Roth (@cyb3rops) March 3, 2021

Excellent, nice work Ollie. I love this sort of deception engineering. Let's blacken the sky with these https://t.co/oSM8RgN240

— Dominic White (@singe) March 3, 2021

Sadly, there are very few anti-ransomware tools today like Killed Process Canary, although attempts have been made in the past.

For example, in 2016, a software engineer named Sean Williams released Cryptostalker, a tool that could monitor Linux systems for newly created files that contained random data and written to disk at high speeds, the signs of a fast encryption process, as seen in ransomware attacks.

In the same year, cybersecurity firm Cybereason also released an app called RansomFree that used folder names with special characters to detect ransomware attacks. The idea behind the tool was to make sure these special folders were encrypted before any other directory on the filesystem and give the OS a chance to detect the attack.

The biggest anti-ransomware tool available today was released in October 2017 when Microsoft added support for the Controlled Folder Access feature to Windows 10 itself. This feature gave system administrators a way to prevent certain apps —such as ransomware— from editing or writing files in certain locations.

PayPal also filed a patent for a ransomware detection system in 2019 that looked for certain patterns on systems attacked by ransomware —such as duplicating a file and running high-entropy (encryption) operations on the clone, a process used by most ransomware strains. However, nothing came from this patent, as of yet.

Today, only Windows 10's Controlled Access Feature remains available for blue teams across the world as a solid solution to detect attacks on their systems. However, the feature has been scorned by most system administrators and users alike because it's difficult to set up and also ends up blocking legitimate apps as well.

This leaves antivirus software as the only measure for many companies seeking to detect and defend ransomware attacks, something that system administrators might not be too comfortable with as multiple ransomware strains have incorporated AV evasion or disabling techniques.

Killed Process Canary provides a rare alternative to antivirus systems, one that can be deployed alongside and work as a backup.

However, in a conversation today with The Record, MalwareHunterTeam, a security researcher who has tracked and analyzed hundreds of ransomware strains across the years, said that ransomware gangs are also likely to deploy countermeasures for Killed Process Canary if the tool ever becomes a hindrance to their operations.