Sign in Subscribe

UnderByte — A Ransomware experiment using Alternate Data Streams (ADS)

UnderByte — A Ransomware experiment using Alternate Data Streams (ADS)

Repository purpose: this research was to evaluate the feasiabilty of using Alternate Data Stream (ADS) in staging and conducting ransomware-esk behaviors and examines how well common endpoint controls detect or block those behaviors. This repo is explicitly not intended to provide operational guidance, tools, or techniques for malicious use.

Important: This project contains conceptual research only. Please don't be a goon and use it for some illicit affairs. I didn't even code in a decryptor. You won't be doing anyone any favors.

Summary

This research explores how ADS can be used to stage and execute a ransomware attack on a host and how those behaviors may appear in host telemetry. The primary questions driving the work were:

  1. what are the observable signals associated with ADS read/write activity when used for ransomware,
  2. how reliably do common endpoint controls detect or block suspicious stream usage, and
  3. which telemetry correlations (process, parent, file target, timestamps) are most useful for triage.

High-level takeaways:

  • Legitimate ADS usage is uncommon for many applications and generic files and if there is a stream of rapid creation of ADS streams across many files, particularly with non-descriptive and/or nonsensical names, it can be used as a good indicator of illicit behavior.
  • Simple file-system-only monitoring yields many false positives; combining process lineage, command line, and stream-targeted heuristics improves signal-to-noise.
  • Most Consumer grade and some Commerical grade endpoint protection and AV products did not flag the activity of creating an ADS on user file. Despite the over use of the cryptography libraries within the OS the activity was not flagged malicious. Likely cause of the commercial grade alerts were due to modifications of canary files which could be easily avoided.
  • Alerting and prevention from security products, in-kernel and out, mostly occured during the tool's overwriting stage of the main data stream, but only when the overwriting activity was conducted in a manner beyond human input capability, i.e no sleep pattern implemented. This also only occured after many files were already encrypted, from testing it was observed that this number fluctated between 20~ to 100~ files.
  • To be effective ransomware needs to only encrypt user maintained files. Restriction of use in the application or OS level is damaging, but presents more opportunities for discovery. Focusing detections on these user writeable locations could be help reduce noise and over burdening of alerts to SIEM.

Want a deeper dive? Read the rest of this article on GitHub.