This is the third post in our evasion techniques blog series. Feel free to view the other posts which discussed Sandbox Evasion and Living Off the Land techniques.
Today we’ll discuss forensic tools and security products detection. Although technically this isn’t an “”evasion”” technique per say, while your security and forensic tools are busy scanning and monitoring systems to detect traces of malware, Ransomware attackers are also doing the same thing in order to prevent them from stopping them.
They’re also scanning their environment to see if there are any traces of active security and forensic tools. In our recent 2021 Minerva report of modules triggered by monitored customer systems, we discovered that more and more ransomware attackers were pinging the system to see what types of security and forensic tools are currently installed. Minerva’s Forensic Detection module was triggered more than 10,000 times in 2021, which shows just how extensive the latest ransomware scanning capabilities are. So, what does ransomware do if it happens to detect a security or forensic tool? Well, there are a few options.
Ransomware freezes when it thinks its being surveilled
- Usually the first thing that happens when ransomware detects an “”unfriendly”” security solution, is a hold on all activities as its primary goal initially is to avoid detection. Otherwise, it risks getting caught and its presence will be short-lived. More importantly, the ransomware authors know that once they are detected, the code will be fingerprinted if it hasn’t yet been. Meaning, a hash will be generated off of the suspicious binary (in this case, the ransomware file itself), and that hash will be used to identify other instances of the same malware if it’s ever encountered in the wild again.
- The ransomware may attempt to disable the detected security or forensic tool. In one proof-of-concept (PoC), security researcher Roberto Franceschetti demonstrated how a threat actor with elevated privileges could run a script to disable certain antivirus products by rebooting the infected device into safe mode and renaming the targeted antivirus product’s application directory before the product itself could launch.
- The ransomware may attack a component in the tool that would render it useless. For instance, in the case of an antivirus, it may attack its database. An antivirus database is where known malware hashes a.k.a. signatures or definitions are found. So, without it, the antivirus—assuming of course it’s still able to run—wouldn’t be able to detect any malware using signature-based scanning.
If the ransomware is unsuccessful in performing the second or third options, it usually refrains from executing and remains dormant, due to the reasons listed in item 1.
How Minerva Prevents Ransomware from performing Forensic Detection
Unfortunately for ransomware , this evasive technique is ineffective against Minerva. Minerva’s anti-ransomware simulation layer, which sits between the operating system (OS) and running processes, controls what the processes can see and intercepts any query or communication those processes send out. If, for instance, a process asks whether ESET or Avira or any other security or forensic tool is running on the system, Minerva will respond in the affirmative (i.e., ‘yes’) even if those tools aren’t really running on the system. The funny thing is that because the process isn’t really running on the system, the ransomware won’t really be able to terminate it and Minerva will keep telling it that it’s running. As a result, the ransomware will be forced to remain in its dormant state forever. In the meantime, Minerva, knowing that legitimate processes normally don’t query for security tools, will consider this suspicious process malicious and treat it accordingly.
Again, this is just one of several techniques modern ransomware employ to evade detection. But that’s ok. Minerva simulates thousands of these evasion techniques. So, as long as Minerva is running on your endpoint, ransomware doesn’t stand a chance to to progress in its attack.