$30 off During Our Annual Pro Sale. View Details »

eCrime - A Key-Management-Based Taxonomy for Ransomware

eCrime - A Key-Management-Based Taxonomy for Ransomware

https://www.amirootyet.com/

Ransomware encrypts user files making management of the encryption key(s) critical to its success. Developing a better understanding of key management in ransomware is a necessary prerequisite to finding weaknesses that can be exploited for defensive purposes. We describe the evolution of key management as ransomware has matured and examine key management in 25 samples. Based on that analysis, we introduce a ransomware taxonomy that is analogous to hurricane ratings: a Category 5 ransomware is more virulent from a cryptographic standpoint than a Category 3. In our analysis of samples in light of the taxonomy, we observed that poor cryptographic models appear as recently as 2018.

Pranshu Bajpai

May 15, 2018
Tweet

More Decks by Pranshu Bajpai

Other Decks in Technology

Transcript

  1. A Key-Management-Based Taxonomy for Ransomware Pranshu Bajpai, Aditya K Sood,

    Richard Enbody May 15, 2018 APWG 13th Symposium on Electronic Crime Research
  2. Agenda 1. Introduction 2. Key Management 3. Categorization 4. Observations

    and Conclusion 1
  3. Introduction

  4. About us Pranshu Bajpai PhD candidate at Michigan State University

     http://cse.msu.edu/~bajpaipr/  https://twitter.com/amirootyet Aditya K Sood Security practitioner  http://adityaksood.secniche.org/ Richard Enbody Associate Professor, Computer Science and Engineering, Michigan State University  http://www.cse.msu.edu/~enbody/ 2
  5. The problem of ransomware • Ransomware continue to find victims

    — 90% of businesses have less than 90 employees • Backups work in theory but are missing, partial, or infrequent in practice • Lack of regular updates, general due diligence, poor passwords for remote services ... • Assuming ransomware will find a way in — what can be done post-infiltration? 3
  6. Key Management

  7. Why focus on key management? Key management is crucial to

    a cryptoviral extortion: • Attacker needs exclusive access to the decryption key • Key management is complex and attackers frequently make errors • Ransomware will always find victims — flaws in key management imply we can reverse encryption without paying ransom 4
  8. Evolution of key management • No encryption, no key •

    Key in user domain 1. Key on host machine • Key in attacker domain 1. Key on a command and control, C&C, server—single encryption 2. Decryption essentials on C&C server—hybrid encryption 5
  9. Common hybrid cryptosystem in ransomware • Ransomware compromises host •

    Generates symmetric encryption key • Encrypts symmetric key with a hard-coded asymmetric key • Provides attacker a copy of encrypted symmetric key • Encrypts user data using the symmetric key • Destroys symmetric key on host • Displays ransom note 6
  10. Categorization

  11. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation 7
  12. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant 7
  13. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware 7
  14. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware • Victims more likely to give into intimidation if they cannot comprehend the actual risk 7
  15. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware • Victims more likely to give into intimidation if they cannot comprehend the actual risk • Need for a community-powered resource that general public can query when infected 7
  16. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware • Victims more likely to give into intimidation if they cannot comprehend the actual risk • Need for a community-powered resource that general public can query when infected • How much time and effort would/does it take to reverse the encryption without paying the ransom? 7
  17. The six categories of ransomware virulence Ransomware Cryptosystem Category 5

    Category 6 Category 1 Category 2 Category 3 Category 4 8
  18. The six categories Category 1: Fakers • No actual encryption

    (fake scareware) • Demanded ransom before encryption 9
  19. The six categories Category 2: Failures • Decryption essentials extracted

    from binary • Derived encryption key predicted • Same key used for each infection instance • Encryption circumvented (decryption possible without key) • File restoration possible using Shadow Volume Copies 9
  20. The six categories Category 3: Imitators • Key recovered from

    file system or memory • Due diligence prevented ransomware from acquiring key • Click-and-run decrypter exists • Kill switch exists outside of attacker’s control 9
  21. The six categories Category 4: Followers • Decryption key recovered

    from a C&C server or network communications • Custom encryption algorithm used 9
  22. The six categories Category 5: Challengers • Decryption key recovered

    under specialized lab setting • Small subset of files left unencrypted 9
  23. The six categories Category 6: Leaders • Encryption model is

    seemingly flawless 9
  24. Categorization Ransomware Year Category Reasoning Nemucod 2016 Category 1 Displays

    ransom note before actual encryption AIDS 1989 Category 2 Decryption key extracted from ransomware code DirCrypt 2014 Category 2 Used same RC4 keystream for multiple files Linux.Encoder.1 2015 Category 2 Timestamp for key generation used for decryption WannaCry 2017 Category 3 Global killswitch renders ransomware ineffective CryptoDefense 2014 Category 3 Decryption key not securely deleted on host CryptoWall 2014 Category 3 Ineffective if it cannot reach the C&C server GPCoder 2005 Category 4 Weak custom encryption algorithm PowerWare 2016 Category 4 Decryption key extracted from communication with C&C Cerber 2016 Category 6 No known weakness exists in the ransomware NotPetya/GoldenEye 2017 Category 6 No known weakness exists in the ransomware Table 1: Subset of classified ransomware 10
  25. Observations and Conclusion

  26. Observations Weak variants continue to appear as late as 2018

    11
  27. Conclusion • We assume ransomware has infiltrated host. What can

    we do from here? • Empirical analysis suggests that many vulnerabilities lie in the key management in these ransomware • Ransomware developers continually introduce design, operation, implementation flaws • Classification system based on key management helps us effectively differentiate between levels of severity inherent in ransomware variants • Interesting to observe if ransomware variants belonging to same malware family stay in the same category over time 12
  28. Questions  Questions  @amirootyet 13