eCrime - A Key-Management-Based Taxonomy for Ransomware

Transcript

1. A Key-Management-Based Taxonomy for Ransomware Pranshu Bajpai, Aditya K Sood,

   Richard Enbody May 15, 2018 APWG 13th Symposium on Electronic Crime Research

2. Agenda 1. Introduction 2. Key Management 3. Categorization 4. Observations

   and Conclusion 1

3. Introduction

4. About us Pranshu Bajpai PhD candidate at Michigan State University

    http://cse.msu.edu/~bajpaipr/  https://twitter.com/amirootyet Aditya K Sood Security practitioner  http://adityaksood.secniche.org/ Richard Enbody Associate Professor, Computer Science and Engineering, Michigan State University  http://www.cse.msu.edu/~enbody/ 2

5. The problem of ransomware • Ransomware continue to find victims

   — 90% of businesses have less than 90 employees • Backups work in theory but are missing, partial, or infrequent in practice • Lack of regular updates, general due diligence, poor passwords for remote services ... • Assuming ransomware will find a way in — what can be done post-infiltration? 3

6. Key Management

7. Why focus on key management? Key management is crucial to

   a cryptoviral extortion: • Attacker needs exclusive access to the decryption key • Key management is complex and attackers frequently make errors • Ransomware will always find victims — flaws in key management imply we can reverse encryption without paying ransom 4

8. Evolution of key management • No encryption, no key •

   Key in user domain 1. Key on host machine • Key in attacker domain 1. Key on a command and control, C&C, server—single encryption 2. Decryption essentials on C&C server—hybrid encryption 5

9. Common hybrid cryptosystem in ransomware • Ransomware compromises host •

   Generates symmetric encryption key • Encrypts symmetric key with a hard-coded asymmetric key • Provides attacker a copy of encrypted symmetric key • Encrypts user data using the symmetric key • Destroys symmetric key on host • Displays ransom note 6

10. Categorization

11. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation 7

12. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant 7

13. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware 7

14. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware • Victims more likely to give into intimidation if they cannot comprehend the actual risk 7

15. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware • Victims more likely to give into intimidation if they cannot comprehend the actual risk • Need for a community-powered resource that general public can query when infected 7

16. Need for a taxonomy? • Not all ransomware are the

    same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware • Victims more likely to give into intimidation if they cannot comprehend the actual risk • Need for a community-powered resource that general public can query when infected • How much time and effort would/does it take to reverse the encryption without paying the ransom? 7

17. The six categories of ransomware virulence Ransomware Cryptosystem Category 5

    Category 6 Category 1 Category 2 Category 3 Category 4 8

18. The six categories Category 1: Fakers • No actual encryption

    (fake scareware) • Demanded ransom before encryption 9

19. The six categories Category 2: Failures • Decryption essentials extracted

    from binary • Derived encryption key predicted • Same key used for each infection instance • Encryption circumvented (decryption possible without key) • File restoration possible using Shadow Volume Copies 9

20. The six categories Category 3: Imitators • Key recovered from

    file system or memory • Due diligence prevented ransomware from acquiring key • Click-and-run decrypter exists • Kill switch exists outside of attacker’s control 9

21. The six categories Category 4: Followers • Decryption key recovered

    from a C&C server or network communications • Custom encryption algorithm used 9

22. The six categories Category 5: Challengers • Decryption key recovered

    under specialized lab setting • Small subset of files left unencrypted 9

23. The six categories Category 6: Leaders • Encryption model is

    seemingly flawless 9

24. Categorization Ransomware Year Category Reasoning Nemucod 2016 Category 1 Displays

    ransom note before actual encryption AIDS 1989 Category 2 Decryption key extracted from ransomware code DirCrypt 2014 Category 2 Used same RC4 keystream for multiple files Linux.Encoder.1 2015 Category 2 Timestamp for key generation used for decryption WannaCry 2017 Category 3 Global killswitch renders ransomware ineffective CryptoDefense 2014 Category 3 Decryption key not securely deleted on host CryptoWall 2014 Category 3 Ineffective if it cannot reach the C&C server GPCoder 2005 Category 4 Weak custom encryption algorithm PowerWare 2016 Category 4 Decryption key extracted from communication with C&C Cerber 2016 Category 6 No known weakness exists in the ransomware NotPetya/GoldenEye 2017 Category 6 No known weakness exists in the ransomware Table 1: Subset of classified ransomware 10

25. Observations and Conclusion

26. Observations Weak variants continue to appear as late as 2018

    11

27. Conclusion • We assume ransomware has infiltrated host. What can

    we do from here? • Empirical analysis suggests that many vulnerabilities lie in the key management in these ransomware • Ransomware developers continually introduce design, operation, implementation flaws • Classification system based on key management helps us effectively differentiate between levels of severity inherent in ransomware variants • Interesting to observe if ransomware variants belonging to same malware family stay in the same category over time 12

28. Questions  Questions  @amirootyet 13