No Random, No Ransom: A Key to Stop Cryptographic Ransomware

[en] To be effective, ransomware has to implement strong encryption, and strong encryption in turn requires a good source of random numbers. Without access to true randomness, ransomware relies on the pseudo random number generators that modern Operating Systems make available to applications. With this insight, we propose a strategy to mitigate ransomware attacks that considers pseudo random number generator functions as critical resources, controls accesses on their APIs and stops unauthorized applications that call them. Our strategy, tested against 524 active real-world ransomware samples, stops 94% of them, including WannaCry, Locky, CryptoLocker and CryptoWall. Remarkably, it also nullifies NotPetya, the latest offspring of the family which so far has eluded all defenses.

Centre de recherche :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Applied Security and Information Assurance Group (APSIA)

Disciplines :

Sciences informatiques

Auteur, co-auteur :

GENÇ, Ziya Alper ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

LENZINI, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

RYAN, Peter ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)

Co-auteurs externes :

Langue du document :

Anglais

Titre :

No Random, No Ransom: A Key to Stop Cryptographic Ransomware

Date de publication/diffusion :

2018

Nom de la manifestation :

15th Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2018)

Organisateur de la manifestation :

CEA
Télécom SudParis

Lieu de la manifestation :

Saclay, France

Date de la manifestation :

28-29 June 2018

Manifestation à portée :

International

Titre de l'ouvrage principal :

Proceedings of the 15th Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Maison d'édition :

Springer, Cham, Suisse

ISBN/EAN :

978-3-319-93410-5

Pagination :

234-255

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

URL complémentaire :

https://link.springer.com/chapter/10.1007/978-3-319-93411-2_11

Disponible sur ORBilu :

depuis le 10 mai 2018

Statistiques

Nombre de vues

580 (dont 28 Unilu)

Nombre de téléchargements

1331 (dont 26 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

OpenCitations

citations OpenAlex

Bibliographie

Debian Security Advisory: DSA-1571-1 OpenSSL-predictable random number generator, May 2008. http://www.debian.org/security/2008/dsa-1571. Accessed 17 July 2017
Juniper Networks: Out of cycle security bulletin, December 2015. https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713. Accessed 17 July 2017
Bellare, M., Brakerski, Z., Naor, M., Ristenpart, T., Segev, G., Shacham, H., Yilek, S.: Hedged public-key encryption: how to protect against bad randomness. In: Mat-sui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 232–249. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7 14
Bradner, S.: Key words for use in RFCs to Indicate Requirement Levels. BCP 14, RFC Editor, March 1997. http://www.rfc-editor.org/rfc/rfc2119.txt, http://www. rfc-editor.org/rfc/rfc2119.txt
Bromium: Understanding Crypto-Ransomware (2015). https://www.bromium. com/sites/default/files/rpt-bromium-crypto-ransomware-us-en.pdf
Chen, T.M., Abu-Nimeh, S.: Lessons from stuxnet. Computer 44(4), 91–93 (2011)
Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., Maggi, F.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32Nd Annual Conference on Computer Security Applications, pp. 336– 347. ACSAC 2016. ACM, New York (2016)
Cybersecurity Ventures: Ransomware Damage Report (2017). https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/
Dodis, Y., Ong, S.J., Prabhakaran, M., Sahai, A.: On the (im)possibility of cryptography with imperfect randomness. In: 45th Annual IEEE Symposium on Foundations of Computer Science, pp. 196–205, October 2004
Douceur, J.R., Adya, A., Bolosky, W.J., Simon, D., Theimer, M.: Reclaiming space from duplicate files in a serverless distributed file system. In: Proceedings of the 22nd International Conference on Distributed Computing Systems (ICDCS 2002), pp. 617. ICDCS 2002. IEEE Computer Society, Washington, DC, USA (2002)
Gammons, B.: 4 Surprising Backup Failure Statistics that Justify Additional Protection, January 2017. https://blog.barkly.com/backup-failure-statistics. Accessed 17 July 2017
Howard, M., Le Blanc, D.: Writing Secure Code. Developer Best Practices, 2nd edn. Microsoft Press, Cambridge (2004)
Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: Unveil: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 757–772. USENIX Association, Austin, TX (2016)
Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) Research in Attacks, Intrusions, and Defenses, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6 5
Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611. ASIA CCS 2017. ACM, New York (2017)
Lee, K., Oh, I., Yim, K.: Ransomware-prevention technique using key backup. In: Jung, J.J., Kim, P. (eds.) Big Data Technologies and Applications, vol. 194, pp. 105–114. Springer International Publishing, Cham (2017). https://doi.org/10. 1007/978-3-319-58967-1 12
Microsoft: Working with the AppInit DLLs registry value, November 2006. https://support.microsoft.com/en-us/help/197571/working-with-theappinit-dlls-registry-value
Microsoft Corporation: Windows Authenticode Portable Executable Signature Format. Technical report, March 2008. http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode PE.docx
Palisse, A., Le Bouder, H., Lanet, J.-L., Le Guernic, C., Legay, A.: Ransomware and the legacy Crypto API. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 11–28. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54876-0 2
Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312, June 2016
Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230–253. Springer, Cham (2016). https://doi. org/10.1007/978-3-319-45719-2 11
Soeder, D., Abad, C., Acevedo, G.: Black-box assessment of pseudorandom algorithms. Black Hat USA (2013). https://media.blackhat.com/us-13/US-13-Soeder-Black-Box-Assessment-of-Pseudorandom-Algorithms-WP.pdf
Szor, P.: Duqu-Threat Research and Analysis, November 2011. https://securingtomorrow.mcafee.com/wp-content/uploads/2011/10/Duqu.pdf
US Department of Justice: How to Protect your Networks from Ransomware (2016). https://www.justice.gov/criminal-ccips/file/872771/download
VirusTotal: Scan report, June 2017. https://virustotal.com/en/file/81fdbf04f3d0d9a85e0fbb092e257a2dda14c5d783f1c8bf3bc41038e0a78688/analysis/