Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Memory Forensics Against Ransomware

Pranshu Bajpai
June 15, 2020
Research
0
260

Memory Forensics Against Ransomware

https://www.amirootyet.com/

Ransomware leverages the unique knowledge of the cryptographic secrets, such as an encryption key, for ransom extraction. Therefore, acquiring the decryption key via exploitation of weak cryptographic implementations or side-channel attacks allows data restoration without the requirement of ransom payment. In this paper, we examine the effectiveness of physical memory forensics against ransomware to recover raw symmetric and asymmetric keys and demonstrate file decryption against several real-world ransomware. Furthermore, we deploy our own virulent ransomware that are equipped with an effective hybrid cryptosystem to explore the limits of such memory-based side-channel attacks on ransomware. Our results indicate that cryptographic keys can be discovered during encryption in the ransomware process memory for durations long enough to facilitate complete data recovery.

Pranshu Bajpai

June 15, 2020
Tweet

More Decks by Pranshu Bajpai

See All by Pranshu Bajpai
How They Hacked Your DevOps - Risk Mitigation in Development Environments
amirootyet
0
160
Towards Effective Identification and Rating of Automotive Vulnerabilities
amirootyet
0
310
Ransomware Targeting Automobiles
amirootyet
0
280
An Empirical Study of Key Generation in Cryptographic Ransomware
amirootyet
0
200
CascadiaJS - Raiders of the Javascript-based Malware
amirootyet
0
120
ToorCon XX: Ransomware versus Cryptojacking
amirootyet
0
120
GrrCon - Crypto Gone Rogue
amirootyet
0
190
Defcon - Deploying TBATS Machine Learning Algorithm to Detect Security Events
amirootyet
0
150
BSides - Hipster Ransomware
amirootyet
0
100

Other Decks in Research

See All in Research
CSC590 Lecture 01
javiergs
PRO
0
130
第12回全日本コンピュータビジョン勉強会:画像の自己教師あり学習における大規模データセット
naok615
0
510
Scaling Rectified Flow Transformers for High-Resolution Image Synthesis / Stable Diffusion 3
shunk031
0
440
3D Human Mesh Estimationについていくつかまとめてみた / Survey about 3D Human Mesh Estimation
nttcom
0
190
音場再現技術の統一的枠組みと知覚的精度向上
skoyamalab
1
220
My Journey as a UX Researcher
aranciap
0
1.1k
NeurIPS-23 参加報告 + DPO 解説
akifumi_wachi
4
1.4k
People Driven Transformation / 人が起点の、社会の変え方
dmattsun
0
150
AIを前提とした体験の実現に向けて/toward_ai_based_experiences
monochromegane
1
230
2024-01-23-az
sofievl
1
730
Alexander Mielke Hellinger--Kantorovich (a.k.a. Wasserstein-Fisher-Rao) Spaces and Gradient Flows
jjzhu
3
180
10-ot-generic-bio.pdf
gpeyre
0
120

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
258
12k
Building Flexible Design Systems
yeseniaperezcruz
318
37k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
356
22k
Building Applications with DynamoDB
mza
88
5.6k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
658
120k
Automating Front-end Workflow
addyosmani
1355
200k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Designing the Hi-DPI Web
ddemaree
276
33k
Writing Fast Ruby
sferik
620
60k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k

Transcript

  1. Memory Forensics Against Ransomware Pranshu Bajpai and Richard Enbody Michigan

    State University IEEE Cyber Security 2020 June 17th, 2020

  2. Richard Enbody ▪ Associate Professor, Michigan State University 2 Pranshu

    Bajpai ▪ Security Researcher, PhD, Michigan State University ▪ Security Architect, Motorola Solutions* *Disclaimer: views expressed are our own and not necessarily those of our employers

  3. Introduction ▪ The growing menace of ransomware ▪ Hybrid encryption

    model and key management ▪ Standard encryption algorithms and APIs ▪ The NIST cybersecurity framework ▪ The 6 categories of ransomware virulence 3

  4. Killchain in Modern Ransomware Identifying constraints on all modern cryptographic

    ransomware 4 Cn Condition C1 Infiltration C2 Execution C3 Preparation C4 Enumeration C5 Encryption C6 Protection C7 Extraction C8 Restoration

  5. Hybrid cryptosystem ▪ Utilize the existing CryptoAPI on the host

    ▪ Generate unique symmetric encryption key(s) ▪ Traverse directories and locate files-of-interest ▪ Encrypt files with the symmetric key(s) ▪ Encrypt the symmetric key(s) with the embedded public key ▪ Display ransom note 5

  6. 6 Fig: Symmetric Key Schedule Fig: Asymmetric Key in Memory

  7. 7 Fig: System Architecture

  8. 8 Fig: Decryption of a JPEG Image Fig: Key Exposure

    Durations

  9. Decrypting real- world Ransomware 9 Ransomware Algorithm(s) LockCrypt2.0 AES-256+RSA eCh0raix

    AES-256+RSA CryptoRoger AES-256 WannaCry AES-256+RSA AdamLocker AES-256 Alphabet AES-256+RSA Alphalocker AES-256+RSA CryptoRansomware AES-256 BlackRuby AES-256+RSA

  10. Summary Primary insight Cryptographic keys are exposed by ransomware during

    the process of encryption Main technical challenge The volatility of physical memory limits the window of key extraction Existing solutions Focused primarily on the prevention and detection of ransomware Methodology Recognizing encryption key structures in memory for key extraction during encryption Results Decryption of data encrypted by real-world ransomware Future work Testing against a larger set of multi-key ransomware strains Experimenting with different trigger conditions Mapping extracted keys to encrypted files 10

  11. Conclusion Response and Recovery More research efforts are needed in

    the recovery phase against ransomware Backups are not always sufficient Layered Defense Defense-in-depth is the only true solution against ransomware Prevention, detection, and recovery are all required elements of defense Scalable solutions Proposed solutions are more effective when not dependent on platform, language, APIs etc. 11

  12. Thank you! Any questions? ▪ Twitter: @amirootyet ▪ www.amirootyet.com 12