Defeating Ransomware by Using Sysmon and PowerShell

Let’s Connect | LinkedIn | Twitter

Ransomware attacks have been increasing and getting more and more dangerous for companies. Since they have also been getting more advanced and hard to prevent or detect, I started to do some research a week ago on the options for responding to ransomware attacks, and I found a way to defeat it!

In this post, I’m going to show how you can use active defense and cyber deception techniques to detect ransomware activity and dump the memory of its process into a file. After that, I’m going to demonstrate how it works by using an open-source ransomware sample. If you have the memory dump, you can analyze and “most likely” find the encryption keys, so you can decrypt your data. Finally, I’m going to show the verification of the existence of the encryption key in the memory dump.

I'm going to use Sysmon, PowerShell, and Task Scheduler to implement the solution. This makes the solution totally free. You don’t even need a SIEM, EDR, SOAR, or any other commercial tool!

So, let’s get started!

Overview

Keep in mind that this solution is a prototype and can be improved in many ways.

An overview of the implementation steps:

• Creating a honey folder and putting a test file in it. A honey folder is kind of a trap a ransomware will check and encrypt the files in it.
• Configuring the Sysmon to monitor file creation events under the honey folder. This is because ransomware deletes the original file and puts the encrypted one into the same location.
• Creating a PowerShell script that reads the Sysmon EventID 11 events, parses the Process Id from the event, and dumps its memory to a file.
• Creating a scheduled task that triggers on Sysmon EventID 11 event. The task will run the PowerShell script, and the script will dump the memory.

Update for MAZE Ransomware

MAZE Ransomware doesn't perform file deletion and creation. However, it accesses the file. By configuring the audit policy for the honey folder, EventID 4663 is generated in the Security log. This event has ProcessID in hexadecimal format which can be converted to integer. Hence, we can dump the memory of MAZE ransomware process by modifying the PowerShell script. MAZE ransomware has some mechanisms to prevent memory dumping but it can be bypassed.

Demo

For the demonstration, I used the ransomware framework on https://github.com/mauri870/ransomware. It contains a server, ransomware client, and an unlocker for decrypting the data.

Demo steps:

• Running the ransomware manually and verifying the file encryption.
• Verifying the scheduled task trigger and the memory dump file.
• Getting the encryption key from the server.
• Searching for the encryption key in the memory dump for verification.
• Decrypting the encrypted files.

Implementation

I created “honeyfolder” folder under the Downloads directory. I also created “C:\AntiRansom” folder for the script and for saving the memory dumps.

Sysmon Configuration

I used the below rule group in my Sysmon configuration. It monitors the “honeyfolder” for file creations. As I mentioned above, ransomware puts the encrypted files in their original location.

<RuleGroup name="" groupRelation="or">
  <!-- Event ID 11 == FileCreate. -->
  <FileCreate onmatch="include">
    <TargetFilename condition="contains">\honeyfolder\</TargetFilename>
  </FileCreate>
</RuleGroup>

Creating the PowerShell script

I created a PowerShell script and used Out-Minidump from PowerSploit. To keep the post short, I’m sharing the important parts below. You can download the whole script from my GitHub repo. Keep in mind that rundll32.exe doesn't work with the task scheduler (or I couldn’t make it work). That’s why I used the Out-Minidump in the script. I also need to say that I have just basic programming knowledge. I developed the script in a week with no experience in PowerShell scripting thanks to Stack Overflow. The code (part of it):

Creating the Scheduled Task

I created a scheduled task that triggers on Sysmon EvenID 11. I’m not sure if the task should be run as SYSTEM, but I didn’t want to deal with privilege issues during the development. If you know a safer way to run the script, please share it.

Trigger Properties. Advanced settings are default. If you want, you can create an advanced trigger by chosing Custom and providing a custom XML query.

Action Properties. The whole argument is: -ExecutionPolicy Bypass -File C:\AntiRansom\DumpProcess.ps1

Conditions Properties are default.

Settings Properties. Note that you can run a new instance in parallel.

Demo Time!

DO NOT try running ransomware in your environment! I’m not responsible for any damage caused by it!

I used a Kali VM(server) and a Windows 10 VM(victim). The ransomware server runs on the Kali VM. I copied the ransomware.exe and unlocker.exe to the Windows 10 VM manually.

Ransomware and Unlocker

I disabled the AV not to get into any trouble. Then, I ran the ransomware.exe and waited for completion. After that, I checked the folders to verify the encryption.

Ransomware in action.

After completion, I checked if the mechanism was triggered and created the dump.

Looks like the task ran and finished properly:

Task history. Completed with return code 0.

And there is the memory dump!

The script created the memory dump of the process Id 6172. (yes, I could have tried to kill the process but it might have been a total loss for me.)

I opened the READ_TO_DECRYPT.html file.

DO NOT SEND ANY BITCOIN TO THAT ADDRESS!

Since I had the server as well, I obtained the encryption key by using the ID.

Thank god we have the key!

I searched for the encryption key by using strings.exe. The key was there but there are other characters next to it.

The first string starting with the "73" has 3 extra chars.

I dumped all the strings output to a file and searched for the key and my ransomware server address.

Again, 3 extra chars.

Below, you can see the payload for adding the encryption key to the server.

The payload of sending the encryption key to the server.

Since I’m not a forensics expert, I couldn’t verify if the payload had the encryption key. The server returns “204 No Content” for successful post action. If you want to try to decode, here is the payload:

HTTP/1.1 204 No Content
Vary: Origin
Date: Sat, 11 Jul 2020 10:34:58 GMT
POST /api/keys/add HTTP/1.1
Host: 172.16.196.136:8080
User-Agent: Go-http-client/1.1
Content-Length: 1284
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
payload=K2.%3BU%C7%B0%B4%FB%AD%CD%D8%3DnP%E1%09%26%1C%90%B9u%10%01~%E6%D8Y%96%2F%07%7F5W%CA%2A%AD%E5%14%B9%C3%40%2Bo%9AAC%02%FC%5B%98X%AB%8A%3E%0F%B8%B0k%E5q%25%7FN%E1%FC%C9%8EK%C6%8A%1F9w%81%A0%BC%3Bz%F9%DCk%AE%B7%B8%06%1C%40%9D%C8%60%00%BA%0A%06%CA%3D%19%85CU%0Be%A1%99%D3%9Fe%D7%D0X%8D%1E%9F%BA%07%A3%E3S%24%C0%0B%7Fj%28%27_%FA%E6E%D3%23%8Ep%84%82%F2%DFR%CF%96%3C%DFz%00%EEK%80%8E%C7%E6%A9%242%95g6%D0%14%5Coh6%8DU%29y%BE%82%94%F397d%2ACB%F6%EA%2C%E3%13%86%05pR%94%00.j%A3Cg%E8%F1%C2%AE%1B%28%A59%B9%E4%FE%AB%C9YvI%07z%EF1%9AR%B9%2C%0E%2F%16f%C3%12%F9%22%12%C0%84T%2B%21%1B%22r%25%22%E7%A7%D6%A3%B8%F9fX9%91t%7B%A6%10%DD%F1%3DL%C9%C6%1C%A4%C5%96%A9%CB%AD%0C%B3%97%23%BD%0D%DC%A8%97%BC%C6%2F%A0%02%DA%E9%AD7%B1%1Bb%8Ay%D0H%AA%F6%C78PQ%3F%A8n9%E5%C00%B9b%C2%40%BD%B0%14%F8%F8%D9%A1%EF%F0%C8%11%85%F2%DF1%DB%BB%D8%5E%FAf%CE%3C%94%F1%A9P%06F%C6%9C%94%23%1E%2A%CCjP%0B%9AIE%8BSj%DC%85z%F1%D5%26%EDc%1E%FFa%B3%9Br%D7cH%E3e%E1B%EA%3C%1B%0A%B7i7w%FF%E4%11%17%B0T%5Dr%B3%EA%E4%EB%9C3%1D%EEy%7D%F2%F9%B6Mo%C9%5C%97R%2B%18a%F8%E9%8C%22%C0%DC%C79%A0%0F%2C.%C4W%83%F5%04%D1%D9%03%09%AD%C1t%A5%D5%0A%26d~%B9bd%1A%1D%EC%FC%E7%EFT%1F%A5%0F%AB%3B%19%D8%80%F2%C3U%9F%B9%24%D5%F8%972R%91%28%3EJ%3D%2B%01%05%25%D1V%C4%F3F%CD%90I%B4%B8%E6p%D9%E1%B6Q-%00%F2w%1B%98%97%86%1D%F8%C7%28%B0%BF%3D%85%C1%80%23

Finally, I decrypted the files using unlocker.exe and the key.

Decryption process.

Below is the decrypted file under the honeyfolder.

The file was recovered properly.

P.S.: If you want to learn KQL, especially for Microsoft Sentinel or Microsoft 365 Defender, do check out my training website. Hope to see you there!”

Conclusion

Just by having some basic programming knowledge, I developed this mechanism to fight ransomware attacks without using any commercial tool, so that everyone can benefit from it. You can improve it and use it in your environment. If you find ways to make it better or develop a better mechanism, I hope you share it with the community.

Update:

Keep in mind that this is not a bulletproof solution. It may not work if anti-forensics techniques are involved in the attack.

The methodology can be applied to other types of attacks by using different events and developing scripts. I will look into another Sysmon feature, “file delete”, to see what can be done.