0

I have a question about how ransomware works.

According to the authors of this paper: https://www.cise.ufl.edu/~traynor/papers/scaife-icdcs16.pdf (page 2 - 3) , class C is: ransomware reads the original file, then creates a new, independent file containing the encrypted contents and deletes or overwrites (via a move) the original file. This class uses two independent access streams to read and write the data.

Could someone explain this a bit more? Because what I'm wondering is: ransomware opens the original file, then creates a new independent file (okay, so far so good), then copies the unencrypted content from the original file into the new file(?), encrypts it (so it encrypts the content of the new file) and overwrites or deletes the original file?

Or does it encrypt the content of the original file, copy the encrypted content to the new file and then delete the original file?

It seems to be quite similar to scenario 3 of this file (page 6): https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_kharraz.pdf

and one more general question: Is it possible to encrypt a file without opening it? So without creating an IRP_Read or IRP_Create?

Thank you very much.

Pieter Jansen
  • 3
  • 1

1 Answers1

0

The first paper says:

deletes or overwrites (via a move) the original file

"deletes" - this is clear, scenario 2 in the second paper.

"overwrites (via a move)" - this is not described in the second paper.

"overwrites (via a move)" depends on the file system:

  • If both files are in the same storage volume, then many file systems just assign pointer to the contents of the new file. This scenario in not described in the second paper.
  • If files are on different storage volumes, then such optimization is impossible. Usually the source file is being read from one volume, written to a temporary file on the target volume. This is not described in the second paper. Then the temporary file is on the same volume as the target file, and the pointer is changed from the old to the new one, like in the first case. This is not described in the second paper.

Is it possible to encrypt a file without opening it?

No. Encryption is a process of data transformation: You read data and apply some transformations according to the chosen algorithm. If you don't read data, there is nothing to transform.

mentallurg
  • 10,256
  • 5
  • 28
  • 44
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/141798/discussion-on-answer-by-mentallurg-how-does-ransomware-encrypt-files). – schroeder Jan 05 '23 at 09:07
  • @mentallurg, I can't post anything in the chat anymore. But one more question (I can't really find sources on the internet on this particular question, or probably I'm not searching well/not using the right search terms). But if you intercepted e.g. an IRP_MJ_READ packet, how can you read the actual content of the file? Or if you have e.g. an IRP_MJ_WRITE and in the pre-operation process you intercept the IRP_MJ_WRITE packet, can you somehow, by examining the packet, see what the written content is? For example, with procmon? Thank you for your help. – Pieter Jansen Jan 20 '23 at 21:03
  • I think I can look at the buffer cache – Pieter Jansen Jan 20 '23 at 22:07
  • @mentallurg Is it correct if I state that the metadata is stored in the buffer (memory) and the content in the cache (memory), also on disk of course, but the CPU is not directly interacting with disk – Pieter Jansen Jan 20 '23 at 22:28
  • @PieterJansen: 1) Security SE is a site about information security, not about programming. I'd suggest you to ask programming questions at [SO](https://stackoverflow.com/). – mentallurg Jan 21 '23 at 08:14
  • @PieterJansen: 2) Why don't you implement a simple prototype of what you want? This would answer the most of your questions. – mentallurg Jan 21 '23 at 08:15