RRDS

Real-time Ransomware Defense System through Windows-based User-level File Event Monitoring

This code implements a system for detecting ransomware behavior and providing recovery mechanisms by hooking two critical Windows API functions: ZwOpenFile and CreateFileW. These functions are commonly used for file creation and access, making them suitable targets for monitoring ransomware activity. Below is an analysis of the ransomware detection logic and the recovery process:

Ransomware Detection Logic

Hooking Mechanism:
- The code uses the Detours library to attach hooks to ZwOpenFile and CreateFileW functions in ntdll.dll and kernel32.dll.
- The hooks redirect calls to these functions through Hooked_ZwOpenFile and Hooked_CreateFileW, where custom logic is applied.
File Activity Monitoring:
- Both hooks capture information about file access and creation requests, such as:
  - File path
  - Desired access rights
  - Other metadata
- The file path is normalized by resolving relative paths to full paths and removing the \??\ prefix.
Pattern Detection:
- The code maintains a global map remaining_map to track substrings (differences) between file paths accessed consecutively.
- The extract_remaining function identifies unique substrings of file paths. If a pattern appears frequently (at least three times), it indicates potential ransomware behavior.
Triggering a Response:
- When suspicious behavior is detected (a repeating pattern of file modifications), the hooks are removed to prevent further tampering.
- A warning is logged, and backup files are restored to mitigate the damage.

Recovery Process

File Backup:
- The code creates backups of files being accessed or modified.
- Backups are stored in a temporary directory (C:\temp\) with the same name as the original file. The file copy operation is logged.
File Restoration:
- Upon detecting suspicious activity, the code iterates through the list of backup files.
- Each backup file is copied back to its original location, effectively undoing the ransomware's changes.
- Restoration success or failure is logged for each file.
Process Termination:
- After restoring files, the process is terminated using ExitProcess(0). This acts as a safeguard to prevent further damage from the ransomware.

Core Functions Overview

InstallHook and RemoveHook:
- Manage the attachment and detachment of hooks for ZwOpenFile and CreateFileW.
Hooked_ZwOpenFile and Hooked_CreateFileW:
- Monitor file operations, log details, and check for ransomware patterns.
- Backup files before allowing operations to proceed.
detect_ransomware:
- Tracks and detects recurring file path patterns to identify ransomware-like behavior.
- Initiates recovery if suspicious patterns are detected.
extract_remaining:
- Analyzes two file paths and extracts the substring representing the difference, which could indicate incremental file modifications (a common ransomware behavior).
RemovePrefix and ResolveFullPath:
- Normalize file paths to ensure consistency in pattern detection and backup operations.

Summary of Ransomware Defense

Monitoring Strategy: Hooks into critical file I/O functions to capture real-time file activity.
Detection Logic: Identifies repeated patterns of file modifications, a hallmark of ransomware.
Recovery Mechanism: Automatically backs up files before modification and restores them upon detecting suspicious activity.
Process Termination: Stops the program to prevent further ransomware actions.

This approach provides a robust mechanism for detecting and mitigating ransomware attacks, although it is tailored for a controlled testing environment and may require additional refinement for real-world deployment.

case1 - WastedLocker’s techniques point to a familiar heritage

According to the link above, the ransomware changes the name of the original binary to MoveFileW api by adding the .bbawasted extension.

So we created a simple poc ransomware based on the content. (/code/case1_ransomeware_test) and, You can hook the code through dll engagement to identify ransomware behavior and extensions and even recover it. Attached is the poc video below.

poc.mp4