GrrCon - Crypto Gone Rogue

Transcript

1. Crypto Gone Rogue A Tale of Ransomware, Key Management, and

   the CryptoAPI -Pranshu Bajpai, Richard Enbody

2. 2 1. Introduction 2. Key Management 3. Implementation Details 4.

   Understanding the CryptoAPI Functions 5. Ransomware Pseudo Code 6. Conclusion Agenda

3. 1. Introduction -About us -The problem of ransomware 3

4. About Us 4 Pranshu Bajpai @amirootyet ▪ PhD candidate at

   Michigan State University ▪ Previously worked as an independent penetration tester ▪ Active speaker at security conferences: DEFCON, GrrCon, ToorCon, BSides, APWG eCrime... ▪ https://www.linkedin.com/in/pranshubajpai ▪ http://www.cse.msu.edu/~bajpaipr/ Richard Enbody ▪ Associate Professor at Michigan State University ▪ Books: Targeted Cyber Attacks, The Practice of Computing using Python ▪ http://www.cse.msu.edu/~enbody/

5. 5 Ransomware Alive and Kicking!

6. Necessary Elements of a Ransomware 6 Infiltrate Acquire encryption secret

   (key) Encrypt Demand ransom Ransomware

7. 2. Key Management -Why key management? -Evolution of key management

   7

8. Why Key Management? Key management is crucial to ransomware operation:

   8 ▪ Attacker needs exclusive access to the decryption key ▪ Key management is complex and attackers frequently make errors ▪ Ransomware will always find victims – flaws in key management imply we can recover files without paying the ransom

9. Evolution of Key Management ▪ Hybrid encryption ▪ A Key-Management-Based

   Taxonomy for Ransomware – Pranshu Bajpai, Aditya K Sood, Richard Enbody https://ieeexplore.ieee.org/document/8376213/ 9

10. 3. Implementation Details -How is key management implemented by ransomware?

    10

11. The Windows CryptoAPI, CSPs, and CNG CryptoAPI ▪ Microsoft’s Cryptographic

    API (CAPI) ▪ Maliciously used by ransomware ▪ Provides cryptographic services to userland applications ▪ Cryptographic primitives are buried in DLLs and divided among CSPs ▪ Provides abstraction to programmers CSPs ▪ Cryptographic Service Providers ▪ Each CSP offers cryptographic primitives ▪ Responsible for actually implementing the CAPI ▪ CAPI is just a bridge between application and CSP – CSP is the crux of cryptographic functionality ▪ Must be signed by Microsoft CNG ▪ Cryptography API: Next Generation ▪ Started with Windows Vista ▪ Replacement for CryptoAPI 11

12. Ransomware and the CryptoAPI 12

13. Why Use the Native CryptoAPI? Ransomware developers: 13 ▪ Make

    design, implementation, and operation errors ▪ Frequently engage in cargo-cult programming ▪ Often end up creating ineffective ransomware that is actually scareware

14. 4. Understanding the CryptoAPI functions -CryptAcquireContext -CryptGenKey -CryptEncrypt … 14

15. Place your screenshot here NotPetya Ransomware 15

16. NotPetya Ransom Message 16

17. List of Imports 17

18. List of Imports 18

19. CryptoAPI Calls 19

20. CryptAcquire Context 20

21. CryptAcquire Context ▪ Acquires handle to a key container within

    a CSP ▪ Returned handle use to make calls to selected CSP 21 // Get a handle to the default PROV_RSA_FULL provider if(!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, 0)) { printf("Error %x during CryptAcquireContext!\n", GetLastError()); return; }

22. CryptGenKey 22

23. CryptGenKey ▪ Generates a random symmetric key or a public-

    private key pair ▪ Handle is returned to the key/key-pair 23 if(CryptGenKey( hCryptProv, ENCRYPT_ALGORITHM, KEYLENGTH | CRYPT_EXPORTABLE, &hKey)) { printf("A key has been created.\n"); } else { printf("Error during CryptGenKey.\n"); exit(1); }

24. CryptEncrypt CryptDecrypt 24

25. CryptEncrypt CryptDecrypt ▪ Encrypt and decrypt data 25 ▪ Handle

    to the key to use for encryption and decryption ▪ Key determines the encryption and decryption algorithm deployed

26. CryptImportKey 26

27. CryptImportKey 27

28. CryptImportKey ▪ Transfers a key from a key blob to

    a CSP 28 if(CryptImportKey( hProv, pbKeyBlob, dwBlobLen, 0, 0, &hPubKey)) { printf("The key has been imported.\n"); }

29. CryptExportKey 29

30. CryptExportKey ▪ Securely transfers a key from CSP 30 if(CryptExportKey(

    hKey, NULL, dwBlobType, 0, NULL, &dwBlobLength)) //Allocate memory for public key blob if(CryptExportKey( hKey, NULL, dwBlobType, 0, *ppbKeyBlob, &dwBlobLength)) // Actual exporting into key blob

31. CryptDestroy Key 31

32. CryptDestroyKey ▪ Releases the handle to the key parameter ▪

    Invalidates key and ensures it cannot be used again 32 BOOL CryptDestroyKey( HCRYPTKEY hKey );

33. CryptRelease Context 33

34. CryptRelease Context ▪ Releases the handle to the CSP 34

    BOOL CryptReleaseContext( HCRYPTPROV hProv, DWORD dwFlags );

35. 5. Ransomware Pseudo Code -Pseudo code pertaining to a generic

    modern ransomware 35

36. Ransomware Design 36 void thread_encrypt() { // main calling function

    ... HCRYPTKEY symKey; // handle to key HCRYPTPROV hProv = [...]; // handle to CSP symKey = generateKey(hProv); // call to key generation function encryptData(hProv, symKey); // call to file encryption procedure cleanup(symKey); // clean up procedure CryptDestroyKey(symKey); // destroy key in memory CryptReleaseContext(hProv, 0); // release handle to CSP } HCRYPTKEY generateKey(hProv) { HCRYPTKEY symmKey; // handle to key CryptGenKey(hProv, CALG_AES_128, 1u, &symmKey); // generate AES-128 key DWORD mode = CRYPT_MODE_CBC; // use CBC cipher mode CryptSetKeyParam(symmKey, KP_MODE, &mode, 0); DWORD padData = PKCS5_PADDING; // PKCS 5 padding method CryptSetKeyParam(symmKey, KP_PADDING, &padData, 0); // set the padding mode return symmKey; // return generated key } void encryptData(hProv, symKey) { for each file type F: // search for specific file types cryptFile(hProv, symKey); // locate and encrypt files } void cleanup(hProv, symKey) { HCRYPTKEY asymPubKey = getasymPubKey(hProv): //acquire RSA public key void* symKeyEncryptb64 = exportKey(symKey, asymPubKey); //encrypt and encode AES key //...write ransomnote.txt... //...write base64 encoded encrypted AES key... //... LocalFree(symKeyEncryptb64); //free allocated memory }

37. 6. Conclusion -Final notes 37

38. Conclusion ▪ Assume ransomware has infiltrated host. What can we

    do from here? ▪ Empirical analysis suggests that many vulnerabilities lie in the key management in these ransomware ▪ Ransomware developers continually introduce design, operation, and implementation flaws ▪ Understanding key management allows us to quickly attack flaws in ransomware to recover files 38

39. Thank you! 39 Questions @amirootyet