CryFile - From 0-Day to detection in 48 hours
What is known?
- November 17, 2017: enSilo’s Post-Infection Protection platform blocked in real-time a variant of a CryFile ransomware and the 0-day detection rate in VirusTotal.
Why it matters?
- enSilo detects and stops a zero-day ransomware from encrypting files.
How we do it?
- Post-infection protection is required to block zero-day threats in real time, post-infection protection technologies are required to block a potential threat that could have an effect like WannaCry.
- Known Anti-Virus companies have impressive results, nonetheless attacks CCleaner, NotPetya and WannaCry bypassed numerous traditional malware detection technologies and after a day nearly all Anti-Virus products adapted enabling detection. Timing is everything and anti-virus products are a day behind, risking entire organizations of not detecting widespread attacks of damaging organizations.
Learn about enSilo’s endpoint protection solution.
Here is the proof: VirusTotal and our data
During the time of detection, the ransomware had 0-day detection rate in VirusTotal.
Figure 1: 11.17.2017 – VirusTotal 0-day Detection Rate
The detection rate of this malware is still fairly low five days after this ransomware was first seen by VirusTotal:
Figure 2: 11.20.2017 – VirusTotal Low Detection Rate
Technical analysis of cryfile:
The CryFile ransomware binary file contains the following static characteristics:
SHA256 Hash: 2cc830c530ae1c03d9c4a8ffb74aa39d4393f524177edb0166125d88d795e3be
File size: 23552 bytes
File Compile Time: 2017-09-20 12:54:20
On execution: CryFile ransomware does two main things:
1) The CryFile ransomware encrypts some of the files on the affected system.
2) Fills the affected system drive completely.
The CryFile ransomware encrypts some of the files on the affected system. The file types that the ransomware encrypts are:
1cd, 7z, accdb, backup, cd, cdr, dbf, doc, docx, dwg, jpeg, jpg, mdb, odr, pdf, psd, rar, rtf, sqlite, tiff, txt, xlsx, xls, zip, dt, ert, pst, mdf, ldf
The files that are encrypted are then renamed in the following format:
Figure 3: In some directories an encrypted file is created with a folder named .corrupt
This folder contains the files that the ransomware didn’t fully encrypt. In addition, a file named DECRYPTKEY is created under the path C:\exportKey. This file contains the generated key (AES key) wrapped by the public key that is used to encrypt the files.
Figure 4: Hardcoded RSA Public key -This public key is hardcoded and used in the encryption process.
RSA Public Key value:
<-----BEGIN RSA PUBLIC KEY-----MIGJAoGBAJ/pgAk5IFg+97WOlgPOr7D77xhWgBMj9gKL9EplpCT6XZl+hRCDSqtit+TN6g5r+p3lUuNNO8cSdDBeeUNcx+j69KDGixTEM5lcxMGokY5WK/krZAG+TwDXCLiTy26j/s5bJrb0e9x9q9STdhdpXZgV7xXqyxpmM1xVaYN2Oo2RfAgMBAAE=-----END RSA PUBLIC KEY----->
- Encrypting 16 bytes each time:
- The ransomware does at most 0x32 encryption iterations
- 32 bytes on the last encryption. 32 bytes are encrypted, but only 16 bytes are written to the file
Furthermore, the encryption process uses the rand function which gives a random number. This random number is used to decide how many bytes are written to the file. That means that some files can’t be decrypted.
Figure 5: The encryption process fills the affected system drive completely.
The CryFile ransomware creates a file called Fill0 under the path C:\fill and fills it with data until the drive is almost full.
Figure 6: Indicates how the C: volume was filled after the execution of this ransomware
Figure 7: Huge file - C:\fill\fill0 - identifies the large size of this file
enSilo Post-Infection Platform in Action
The CryFile ransomware sample was executed in a controlled environment protected by enSilo platform.
Figure 8: enSilo detected and blocked the CryFile ransomware activity and stopped the file encryption
The enSilo file encryptor rule detected that a binary file named crss.exe (the CryFile ransomware) attempted to encrypt a file called ReadMe.txt on the affected system. The enSilo post-infection platform blocked CryFile’s encryption process from occurring on the affected system in real-time and not a single file was encrypted.
This blog post demystified traditional AV vendors respond fast when a threat is detected in the wild, in this case around 48 hours after the initial detection many vendors already identified this sample as malicious. However, in order to block 0-day threats in real-time, post-infection protection technologies are required.
Endpoint protection is what enSilo does.