CyCraft
Published in

CyCraft

The Road to Ransomware Resilience, Part 2: Behavior Analysis

Understanding Active and Emerging Threats & Developing a More Effective Novel Response

Ransomware Behavior Trends

Fig. 2 — Ransomware Analyzed

Trigger Analysis

Environment Check

Fig. 3 — WastedLocker Environment Check

Atomic Execution Check

Fig. 4 — WastedLocker Atomic Execution Check
Fig. 5 — Ransomware Trigger Behavior

Idiosyncratic Checks

Evasion and Obfuscation Techniques

Conti Ransomware: API Unhooking

Fig 6 — Conti Ransomware API Unhooking

Conti Ransomware: String Obfuscation

Fig. 7 — Conti Ransomware String Obfuscation

Prometheus Ransomware: GetString

Fig. 8 — Prometheus Ransomware GetString Obfuscation
Fig. 9 — Prometheus Ransomware GetString Function Revealed
Fig. 10 — Prometheus Ransomware with Multiple GetString Functions
Fig. 11 — Prometheus Ransomware GetString Function Simplicity
Fig. 12 — Prometheus Ransomware CreateGetStringDelegate Function

Ransomware Encryption Schemes

Fig. 13 — Ransomware Encryption Schemes
Fig. 14 — Conti Ransomware’s use of ChaCha8
Fig. 15 — Prometheus Ransomware’s use of SALSA20

Encryption Optimization

The Long and Winding Road

Everything Starts From Security

Engage with CyCraft

Additional Resources

  • Learn more about cybersecurity in our CyCraft Classroom Series. Our latest article, “What is Managed Detection and Response (MDR)?” teaches the benefits of MDR, its unique selling points, and how to make better-informed decisions when choosing an MDR service or vendor.
  • Out of the 47 Representative AI Startups listed in Gartner’s AI Market Guide, 7 are based in Taiwan, and 5 are based in Hong Kong. But only 1 of the 47 Representative AI Startups focused on cybersecurity products and services — CyCraft.
  • Read our latest white paper to learn what threat actors target Taiwan, their motivations & how Taiwan organizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the world.
  • Is your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective SOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from Gartner, Inc. on why Midsize enterprises are embracing MDR providers.
  • New to the MITRE Engenuity ATT&CK Evaluations? START HERE for a fast, accurate, simple, thorough introductory guide to understanding the results.
  • Our CyCraft AIR security platform achieved a 96.15% Signal-to-Noise Ratio with zero configuration changes and zero delayed detections straight out of the box.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CyCraft Technology Corp

CyCraft automates SOC ops for the Fortune Global 500, national govs, & SMEs with MDR, IR, & threat hunting solutions. Learn more at CyCraft.com