$30 off During Our Annual Pro Sale. View Details »

Memory Forensics Against Ransomware

Memory Forensics Against Ransomware


Ransomware leverages the unique knowledge of the cryptographic secrets, such as an encryption key, for ransom extraction. Therefore, acquiring the decryption key via exploitation of weak cryptographic implementations or side-channel attacks allows data restoration without the requirement of ransom payment. In this paper, we examine the effectiveness of physical memory forensics against ransomware to recover raw symmetric and asymmetric keys and demonstrate file decryption against several real-world ransomware. Furthermore, we deploy our own virulent ransomware that are equipped with an effective hybrid cryptosystem to explore the limits of such memory-based side-channel attacks on ransomware. Our results indicate that cryptographic keys can be discovered during encryption in the ransomware process memory for durations long enough to facilitate complete data recovery.

Pranshu Bajpai

June 15, 2020

More Decks by Pranshu Bajpai

Other Decks in Research


  1. Memory Forensics Against Ransomware Pranshu Bajpai and Richard Enbody Michigan

    State University IEEE Cyber Security 2020 June 17th, 2020
  2. Richard Enbody ▪ Associate Professor, Michigan State University 2 Pranshu

    Bajpai ▪ Security Researcher, PhD, Michigan State University ▪ Security Architect, Motorola Solutions* *Disclaimer: views expressed are our own and not necessarily those of our employers
  3. Introduction ▪ The growing menace of ransomware ▪ Hybrid encryption

    model and key management ▪ Standard encryption algorithms and APIs ▪ The NIST cybersecurity framework ▪ The 6 categories of ransomware virulence 3
  4. Killchain in Modern Ransomware Identifying constraints on all modern cryptographic

    ransomware 4 Cn Condition C1 Infiltration C2 Execution C3 Preparation C4 Enumeration C5 Encryption C6 Protection C7 Extraction C8 Restoration
  5. Hybrid cryptosystem ▪ Utilize the existing CryptoAPI on the host

    ▪ Generate unique symmetric encryption key(s) ▪ Traverse directories and locate files-of-interest ▪ Encrypt files with the symmetric key(s) ▪ Encrypt the symmetric key(s) with the embedded public key ▪ Display ransom note 5
  6. 6 Fig: Symmetric Key Schedule Fig: Asymmetric Key in Memory

  7. 7 Fig: System Architecture

  8. 8 Fig: Decryption of a JPEG Image Fig: Key Exposure

  9. Decrypting real- world Ransomware 9 Ransomware Algorithm(s) LockCrypt2.0 AES-256+RSA eCh0raix

    AES-256+RSA CryptoRoger AES-256 WannaCry AES-256+RSA AdamLocker AES-256 Alphabet AES-256+RSA Alphalocker AES-256+RSA CryptoRansomware AES-256 BlackRuby AES-256+RSA
  10. Summary Primary insight Cryptographic keys are exposed by ransomware during

    the process of encryption Main technical challenge The volatility of physical memory limits the window of key extraction Existing solutions Focused primarily on the prevention and detection of ransomware Methodology Recognizing encryption key structures in memory for key extraction during encryption Results Decryption of data encrypted by real-world ransomware Future work Testing against a larger set of multi-key ransomware strains Experimenting with different trigger conditions Mapping extracted keys to encrypted files 10
  11. Conclusion Response and Recovery More research efforts are needed in

    the recovery phase against ransomware Backups are not always sufficient Layered Defense Defense-in-depth is the only true solution against ransomware Prevention, detection, and recovery are all required elements of defense Scalable solutions Proposed solutions are more effective when not dependent on platform, language, APIs etc. 11
  12. Thank you! Any questions? ▪ Twitter: @amirootyet ▪ www.amirootyet.com 12