A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high.

Trying to prove a point, help me out Twitter. Is open source ransomware helping improve ransomware detection/prevention, or making it worse? — 2sec4u (@2sec4u) September 25, 2016

For a while I’ve been collecting a list of arguments used to justify the posting of open source ransomware (some convincing and some hilariously stupid), which I’m going to evaluate in this article.

The antivirus industry needs to do more to stop ransomware

This isn’t really an argument, more a statement; however, it is one of the most commonly used excuses for people posting open source ransomware that I’ve seen. The problem is that open source ransomware is repeatedly used by criminals who would otherwise lack the capabilities of making their own: it’s essentially like being outraged that the police aren’t doing enough to combat gang violence, so giving guns to all the gangs (even the ones who don’t currently have any). There’s some misconception here that everyone in the AV industry is sat around on their hands like a bunch of politicians debating climate change (“maybe the ransomware will solve itself”, “there’s no conclusive proof that ransomware exists, files have been being encrypted for millions of years”), it’s simply not the case. All of the antivirus vendors are painfully aware that ransomware is now an epidemic with it likely now accounting for the majority of all first world malware infections.

People don’t seem to realise ransomware is not an anomaly when it comes to functionality, it uses feature like: encryption (SSL, PGP, EFS, bitlocker) and file I/O (every software ever). Detecting ransomware is not about detecting file encryption or mass file modification, it’s about differentiating between legitimate and malicious software, which as it happens is very tricky and there are a lot of edge cases. Not only is there no silver bullet for AVs to stop ransomware (pretty much any idea you can come up with, a malware developer will be able to pick apart in less than 30 seconds), but ransomware is constantly evolving. It’s not like we face the same malware today that we faced in the 80s and antivirus experts have just been sat around smoking weed the whole time, malware is constantly evolving to outmanoeuvre antivirus/anti-malware measure and has been for many decades.

If we look at security measures implemented in the past 16 years to combat rootkits, we’ve got:

Driver signature enforcement (DSE) – disables the loading of unsigned kernel drivers

Kernel Patch Protection (KPP) – stops modification to certain kernel areas used by rootkits to hide

Secure Boot – prevents rootkits modifying the bootloader to bypass KPP and DSE.

The above are the reason we very rarely see kernel rootkits for more modern Windows operating systems; but ransomware doesn’t need to modify code in ring 0, it doesn’t need to modify the bootloader, nor does it need to persist in the kernel. Since file encryption based ransomware became popular (only in the past few years), proactive defense is essentially back at square one, in fact half of the reason why ransomware is so popular is because it’s not stopped by existing anti-malware defences which have been hardened for decades. Assuming an antivirus vendor was to come up with a technology which stopped 100% of all ransomware, what’s to stop someone writing ransomware which enters the kernel and and does direct disk I/O to bypass the filesystem filter? Due to the fact ransomware only needs to operate in the kernel long enough to encrypt files, KPP and SecureBoot are useless, all that’s needed is a DSE bypass (which is very easy on pre Windows 10 platform). The only reason we don’t see kernel mode ransomware is because currently there’s enough people without antiviruses to make even the most basic ransomware profitable and such time investments non-worthwhile; but, as anti-ransomware spreads and evolves, ransomware will evolve too. It’s also important to also note that a lot of the ransomware infections are home users who are not running antiviruses, so ensuring more of them get infected with ransomware because you believe antiviruses are ineffective is a pretty stupid gameplan.

Open source ransomware will help improve defense

This is an understandable misconception for people outside of the antivirus industry: it’s easy to assume that being able to see the code for something would make it easier to stop, except it doesn’t. Almost none of the open source ransomware developers are reverse engineers and did not base their code on real world ransomware; instead, it was based on the concept of ransomware alone which is easy to understand (encrypt files, display ransom page), so if they are able to understand ransomware enough to write it, then who needs their code to understand it? hint: not security professional.

Malware is generally written in C or C++, but so far all the open source ransomware I’ve seen was written in PHP, Python, C#, or other high level language (the kind of languages that professional malware developers would get laughed at for using). If you were trying to write heuristic ransomware protection based on libraries used or functions called having studied open source ransomware, you’d be at a loss because open source examples are not remotely similar to the real thing, other than the fact they both encrypt files (if you needed open source code to figure out ransomware encrypts files, then writing antiviruses probably isn’t for you anyway). Furthermore, if you were to base your entire defence on simplistic open-source ransomware, you’d quickly find that families like Locky and Cerber have extra abilities such as code injection into trusted processes and assassinating backups (not present in any open-source examples).

Asides from the fact open-source ransomware is ridiculously simplistic and dissimilar to real ransomware, there’s also the fact that the antimalware industry really doesn’t need the source code to understand things. Antivirus companies hire reverse engineers to disassemble malware executables and write reports on how they work and what they do (my job is mostly malware reverse engineering, so I’m familiar with this). Most malware developers write in C or C++ which is compiled to machine code (a binary representation of ASM), thus someone who is proficient in ASM can open a malicious executable in a dissembler and understand how it works by studying the code (obviously explanation is a bit simplified, but you get the point). The fact that some antivirus companies are offering salaries of $120,000+ for malware reverse engineers (despite the fact there is open-source or leaked code for pretty much every kind of malware ever) would probably suggest that the open sourcing malware isn’t as helpful toward blocking it as people think.

Below I’ve listed some short ransomware reports by reverse engineers, so that you can get an idea of how much more information can be gotten from reverse engineering an actual piece of malware:

https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/

https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/

By releasing open source ransomware you undercut and kill the ransomware selling economy

This is an actual quote by open-source ransomware developer Utku Sen, whose code has been used to cause tens of thousands in damages by low-skill criminals. Just for fun I’ve grabbed a list of just some of the maliciously used ransomware made using his code (from softpedia): 8lock8, Blocatto, Cryptear, Fakben, GhostCrypt, Hi Buddy!, Job Crypter, KryptoLocker, MireWare, PokemonGO, Sanction, Brazilian, DEDCryptor, Fantom, FSociety, Magic, MM Locker, SkidLocker, SNSLocker, Strictor, and Surprise. The not fun part of this is of course that every single one of those pieces of ransomware was used to encrypt at least 1 user’s files, with some (probably most) resulting in the permanent destruction of data.

The quote was absolutely hilarious to me for a couple of reasons:

Stopping people from selling ransomware by giving it away for free doesn’t solve the actual problem which is people having their files encrypted with ransomware, in fact it makes it worse by giving more people access to ransomware (I’d be interested to know if Sen’s solution to stopping oppressive countries from developing nuclear weapons is to just give them ready made ones for free). Ransomware selling was never a big business for one simple reason: it’s far more profitable to use ransomware than to sell it. Almost all of the people with the skills to write ransomware are using it themselves or running affiliate systems, this the sale of ransomware is a total non issue. Having freely available code has never actually adversely affected the malware market. Zeus was the most popular and advanced banking trojan of its time; 5 years after the code was posted publicly there has been more than 20 different banking trojans sold which were almost entirely based on the freely available code, the problem is so bad that some developers even use lines like “not based on Zeus” as a selling point. All that Sen has done is lowered the bar for entry as now anyone who isn’t capable of writing their own ransomware and can’t afford to buy any can have his for free.

Straw Man Arguments

Here’s a list of someone of the straw-man arguments people have made in various twitter threads after ignoring/misunderstanding my own argument.

Stopping whitehats from releasing open-source ransomware won’t stop blackhats from making it.

Having been monitoring the blackhat economy for about 6 years now, it would so happen that I’m well aware blackhats are the one’s who make most of the malware and stopping whitehats from releasing “Proof of Concepts” won’t stop malware from existing. My actual point is that there will always be ransomware available to buy, but whitehats giving it away for free on github just adds fuel to a fire that’s already being fought. Blackhats are in the game for the money, they’re not going to give malware away for free, and I’ve actually not seen any ransomware for sale for less than a few thousand dollars prior to the first open-source ransomware. Releasing ransomware code for free is just lowering the bar for entry to people with no money and no coding skills, all while offering negligible benefit to the security industry.

This is also not some theoretical bullshit I’ve come up with, I actually used to host a repository of leaked malware source codes on my blog, because I believed that if they’re already freely available to blackhats then they should be easily available to whitehats too; What actually happened was a lot of kids on the lower end blackhat forums didn’t actually know where to find these leaked sources, which resulted in the links to my repositories being the ones shared instead of the original leaks. It’s important to realise that most blackhat forums aren’t indexed on google, so no matter how freely available code is on the “underground” posting it on github will result in more criminals having access.

Something something metaspolit

No, just no. Metasploit is not easily weaponizable unless you’re actually familiar with it (i.e. not a scriptkiddie), if you instructed most actual script-kiddies to set up metasploit and infect a few hundred PCs with malware, they had no idea where to start; yet, I’ve seen people who can’t program and have no understand of ransomware set up open-source code with ease. Let’s not forget that the Metasploit Project provides a huge amount of value to security experts whereas open-source ransomware does not.

Open-source ransomware helps highlight the issue of ransomware

We’ve had ransomware going around for years, there was Reveton, followed by CryptoLocker, followed by CryptoWall, followed by Locky, followed by Cerber; all of these campaigns are incredibly high profile and rake in hundreds of millions of dollars in ransoms each a year. Saying that some open-source ransomware code used by scriptkiddies to attack computers without AVs “highlights the issue”, is like saying that the candle someone lit during an inter-state forest fire is what attracted the fire brigade’s attention, not the giant fucking fire.

Now please, let’s stop giving free ransomware to script-kiddies.