[en] To achieve its goals, ransomware needs to employ strong encryption, which in turn requires access to high-grade encryption keys. Over the evolution of ransomware, various techniques have been observed to accomplish the latter. Understanding the advantages and disadvantages of each method is essential to develop robust defense strategies. In this paper we explain the techniques used by ransomware to derive encryption keys and analyze the security of each approach. We argue that recovery of data might be possible if the ransomware cannot access high entropy randomness sources. As an evidence to support our theoretical results, we provide a decryptor program for a previously undefeated ransomware.
Centre de recherche :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Applied Security and Information Assurance Group (APSIA)
Disciplines :
Sciences informatiques
Auteur, co-auteur :
GENÇ, Ziya Alper ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
LENZINI, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
RYAN, Peter ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Co-auteurs externes :
no
Langue du document :
Anglais
Titre :
Security Analysis of Key Acquiring Strategies Used by Cryptographic Ransomware
Date de publication/diffusion :
2018
Nom de la manifestation :
Central European Cybersecurity Conference
Date de la manifestation :
15–16 November 2018
Manifestation à portée :
International
Titre de l'ouvrage principal :
Advances in Cybersecurity 2018
Peer reviewed :
Peer reviewed
Focus Area :
Security, Reliability and Trust
Projet FnR :
FNR12536861 - No more Cryptographic Ransomware - NoCry, 2018 (15/05/2018-14/09/2018) - Gabriele LENZINI
Luciano Bello. 2008. Debian Security Advisory: DSA-1571-1 openssl - predictable random number generator. (13 May 2008). Retrieved July 9, 2017 from http://www.debian.org/security/2008/dsa-1571
Krzysztof Cabaj and Wojciech Mazurczyk. 2016. Using Software-Defined Networking for Ransomware Mitigation: The Case of CryptoWall. Netwrk. Mag. of Global Internetwkg. 30, 6 (Nov. 2016), 14-20.
Vlad Constantin Craciun, Andrei Mogage, and Emil Simion. 2018. Trends in design of ransomware viruses. Cryptology ePrint Archive, Report 2018/598. (2018). https://eprint.iacr.org/2018/598.
Joan Daemen and Vincent Rijmen. 2002. The Design of Rijndael. Springer-Verlag, Berlin, Heidelberg.
John R. Douceur, Atul Adya, William J. Bolosky, Dan Simon, and Marvin Theimer. 2002. Reclaiming Space from Duplicate Files in a Serverless Distributed File System. In Proc. of the 22 Nd Int. Conf. on Distributed Computing Systems (ICDCS '02). IEEE Computer Society, Washington, DC, USA, 617-624.
Richard Enbody, Aditya K. Sood, and Pranshu Bajpai. 2018. A key-management-based taxonomy for ransomware. In Proc of the 2018 APWG Symp. on Electronic Crime Research, eCrime 2018, Vol. 2018-May. IEEE Computer Society, Washington, DC, USA, 1-12.
Alexandre Gazet. 2010. Comparative analysis of various ransomware virii. Journal in Computer Virology 6, 1 (01 Feb 2010), 77-90.
Ziya Alper Genç, Gabriele Lenzini, and Peter Y. A. Ryan. 2018. No Random, No Ransom: A Key to Stop Cryptographic Ransomware. In Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2018). Springer International Publishing, Cham, 234-255.
Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. 2015. Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, Cham, 3-24.
Haeun Kim, Dongchang Yoo, Ju-Sung Kang, and Yongjin Yeom. 2017. Dynamic ransomware protection using deterministic random bit generator. In Conf. on Application, Information and Network Security (AINS). IEEE, Piscataway, New Jersey, 64-68.
Eugene Kolodenker, William Koch, Gianluca Stringhini, and Manuel Egele. 2017. PayBreak: Defense Against Cryptographic Ransomware. In Proc. of the 2017 ACM on Asia Conf. on Computer and Communications Security (ASIA CCS '17). ACM, New York, NY, USA, 599-611.
MalwrPost. 2016. Technical Analysis of Rush/Sanction Ransomware. (6 April 2016). Retrieved June 07, 2018 from https://malwrpost.wordpress.com/2016/04/06/technical-analysis-of-rush-sanction-ransomware/
Trend Micro. 2016. Network Solutions to Ransomware - Stopping and Containing Its Spread. (8 Sept. 2016). Retrieved July 9, 2018 from https://blog.trendmicro.com/trendlabs-security-intelligence/network-solutions-ransomware-stopping-containing-spread/
Kevin Savage, Peter Coogan, and Hon Lau. 2015. The evolution of ransomware. (6 Aug. 2015). Retrieved July 9, 2018 from http://www.symantec.com/content/en/us/enterprise/media/security-response/whitepapers/the-evolution-of-ransomware.pdf
Marcos Sebastián, Richard Rivera, Platon Kotzias, and Juan Caballero. 2016. Avclass: A tool for massive malware labeling. In Int. Symp. on Research in Attacks, Intrusions, and Defenses. Springer, Cham, 230-253.
Alexander Sevtsov. 2017. Ransomware Network Communication. (14 July 2017). Retrieved July 9, 2017 from https://www.lastline.com/labsblog/ransomware-network-communication/
Sara Tilly. 2017. Cryptolocker Prevention - How to secure your server environment. (29 March 2017). Retrieved July 9, 2018 from https://blog.syskit.com/cryptolocker-prevention
Carl Woodward and Raj Samani. 2017. Is WannaCry Really Ransomware? (8 June 2017). Retrieved July 9, 2018 from https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-really-ransomware/
Michael Young and Ryan Zisk. 2017. Decrypting the NegozI Ransomware. (22 Sept. 2017). Retrieved June 07, 2018 from https://yrz.io/decrypting-the-negozi-ransomware
