Memory Forensics Against Ransomware Pranshu Bajpai and Richard Enbody Michigan State University IEEE Cyber Security 2020 June 17th, 2020 

Richard Enbody ▪ Associate Professor, Michigan State University 2 Pranshu Bajpai ▪ Security Researcher, PhD, Michigan State University ▪ Security Architect, Motorola Solutions* *Disclaimer: views expressed are our own and not necessarily those of our employers 

Introduction ▪ The growing menace of ransomware ▪ Hybrid encryption model and key management ▪ Standard encryption algorithms and APIs ▪ The NIST cybersecurity framework ▪ The 6 categories of ransomware virulence 3 

Killchain in Modern Ransomware Identifying constraints on all modern cryptographic ransomware 4 Cn Condition C1 Infiltration C2 Execution C3 Preparation C4 Enumeration C5 Encryption C6 Protection C7 Extraction C8 Restoration 

Hybrid cryptosystem ▪ Utilize the existing CryptoAPI on the host ▪ Generate unique symmetric encryption key(s) ▪ Traverse directories and locate files-of-interest ▪ Encrypt files with the symmetric key(s) ▪ Encrypt the symmetric key(s) with the embedded public key ▪ Display ransom note 5 

6 Fig: Symmetric Key Schedule Fig: Asymmetric Key in Memory 

7 Fig: System Architecture 

8 Fig: Decryption of a JPEG Image Fig: Key Exposure Durations 

Decrypting real- world Ransomware 9 Ransomware Algorithm(s) LockCrypt2.0 AES-256+RSA eCh0raix AES-256+RSA CryptoRoger AES-256 WannaCry AES-256+RSA AdamLocker AES-256 Alphabet AES-256+RSA Alphalocker AES-256+RSA CryptoRansomware AES-256 BlackRuby AES-256+RSA 

Summary Primary insight Cryptographic keys are exposed by ransomware during the process of encryption Main technical challenge The volatility of physical memory limits the window of key extraction Existing solutions Focused primarily on the prevention and detection of ransomware Methodology Recognizing encryption key structures in memory for key extraction during encryption Results Decryption of data encrypted by real-world ransomware Future work Testing against a larger set of multi-key ransomware strains Experimenting with different trigger conditions Mapping extracted keys to encrypted files 10 

Conclusion Response and Recovery More research efforts are needed in the recovery phase against ransomware Backups are not always sufficient Layered Defense Defense-in-depth is the only true solution against ransomware Prevention, detection, and recovery are all required elements of defense Scalable solutions Proposed solutions are more effective when not dependent on platform, language, APIs etc. 11 

Thank you! Any questions? ▪ Twitter: @amirootyet ▪ www.amirootyet.com 12