If we let Joe Sandbox analyse a recent ransomware sample (MD5: 3e99fab7f175eb8bf283b1e883c714c9) we get the following report artifacts:
As you see the malware injected code into the trusted processes explorer and svchost. Inside svchost it created an autostart key. If we check out the screenshots captured by Joe Sandbox we can see what has happened:
Windows contains functionality to handle virtual desktops which is abused by the malware. It creates a new virtual desktop called "MyDesktop". Later it switches to the new desktop and creates an overlay window to lure the victim to pay a ransom. As Windows does not offer any default hot-key to switch back to the original desktop, operating the computer becomes tedious. Thus the new desktop is an excellent scheme to block operation.
To detect ransomware one may think of detecting code that creates / switches to desktops. However, this may lead to false positives, since all virtual desktop tools (e.g. VirtuaWin) use these APIs. A much more elegant and generic approach would be to detect key aspects such as display text (e.g. block, copyright, violation etc.) of the window shown to the victim.
One way to do that would be to enumerate all windows, control fields and dialogs and query their display text. However, this may be easily prevented by malware using custom controls or GUI frameworks such as QT. A much better approach is using OCR (optical character recognition). We used that idea to develop a cool signature:
- Collected over 400 screenshots of different kind and versions of ransomware (a very good source are https://www.botnets.fr/index.php/Accueil and http://bka-trojaner.de/)
- Feed the screenshots to GOCR (http://jocr.sourceforge.net/)
- Statistically analyzed the recognized words
Finally we tested the signature:
In order to detect ransomware we created the following logical formula:
If "creates an autostart key" and "creates a new desktop" and "shows paysafecard and ukash on the screen" => ransomware
OCR output will be present in all Joe Sandbox 7.4.0 reports. Complete Joe Sandbox Report can be found here: Joe Sandbox Analysis Report