Memory Forensics Against Ransomware

Transcript

1. Memory Forensics Against Ransomware Pranshu Bajpai and Richard Enbody Michigan

   State University IEEE Cyber Security 2020 June 17th, 2020

2. Richard Enbody ▪ Associate Professor, Michigan State University 2 Pranshu

   Bajpai ▪ Security Researcher, PhD, Michigan State University ▪ Security Architect, Motorola Solutions* *Disclaimer: views expressed are our own and not necessarily those of our employers

3. Introduction ▪ The growing menace of ransomware ▪ Hybrid encryption

   model and key management ▪ Standard encryption algorithms and APIs ▪ The NIST cybersecurity framework ▪ The 6 categories of ransomware virulence 3

4. Killchain in Modern Ransomware Identifying constraints on all modern cryptographic

   ransomware 4 Cn Condition C1 Infiltration C2 Execution C3 Preparation C4 Enumeration C5 Encryption C6 Protection C7 Extraction C8 Restoration

5. Hybrid cryptosystem ▪ Utilize the existing CryptoAPI on the host

   ▪ Generate unique symmetric encryption key(s) ▪ Traverse directories and locate files-of-interest ▪ Encrypt files with the symmetric key(s) ▪ Encrypt the symmetric key(s) with the embedded public key ▪ Display ransom note 5

6. 6 Fig: Symmetric Key Schedule Fig: Asymmetric Key in Memory

7. 7 Fig: System Architecture

8. 8 Fig: Decryption of a JPEG Image Fig: Key Exposure

   Durations

9. Decrypting real- world Ransomware 9 Ransomware Algorithm(s) LockCrypt2.0 AES-256+RSA eCh0raix

   AES-256+RSA CryptoRoger AES-256 WannaCry AES-256+RSA AdamLocker AES-256 Alphabet AES-256+RSA Alphalocker AES-256+RSA CryptoRansomware AES-256 BlackRuby AES-256+RSA

10. Summary Primary insight Cryptographic keys are exposed by ransomware during

    the process of encryption Main technical challenge The volatility of physical memory limits the window of key extraction Existing solutions Focused primarily on the prevention and detection of ransomware Methodology Recognizing encryption key structures in memory for key extraction during encryption Results Decryption of data encrypted by real-world ransomware Future work Testing against a larger set of multi-key ransomware strains Experimenting with different trigger conditions Mapping extracted keys to encrypted files 10

11. Conclusion Response and Recovery More research efforts are needed in

    the recovery phase against ransomware Backups are not always sufficient Layered Defense Defense-in-depth is the only true solution against ransomware Prevention, detection, and recovery are all required elements of defense Scalable solutions Proposed solutions are more effective when not dependent on platform, language, APIs etc. 11

12. Thank you! Any questions? ▪ Twitter: @amirootyet ▪ www.amirootyet.com 12