GrrCon - Crypto Gone Rogue

by Pranshu Bajpai

Slide 1

Slide 1 text

Crypto Gone Rogue A Tale of Ransomware, Key Management, and the CryptoAPI -Pranshu Bajpai, Richard Enbody

Slide 2

Slide 2 text

2 1. Introduction 2. Key Management 3. Implementation Details 4. Understanding the CryptoAPI Functions 5. Ransomware Pseudo Code 6. Conclusion Agenda

Slide 3

Slide 3 text

1. Introduction -About us -The problem of ransomware 3

Slide 4

Slide 4 text

About Us 4 Pranshu Bajpai @amirootyet ▪ PhD candidate at Michigan State University ▪ Previously worked as an independent penetration tester ▪ Active speaker at security conferences: DEFCON, GrrCon, ToorCon, BSides, APWG eCrime... ▪ https://www.linkedin.com/in/pranshubajpai ▪ http://www.cse.msu.edu/~bajpaipr/ Richard Enbody ▪ Associate Professor at Michigan State University ▪ Books: Targeted Cyber Attacks, The Practice of Computing using Python ▪ http://www.cse.msu.edu/~enbody/

Slide 5

Slide 5 text

5 Ransomware Alive and Kicking!

Slide 6

Slide 6 text

Necessary Elements of a Ransomware 6 Infiltrate Acquire encryption secret (key) Encrypt Demand ransom Ransomware

Slide 7

Slide 7 text

2. Key Management -Why key management? -Evolution of key management 7

Slide 8

Slide 8 text

Why Key Management? Key management is crucial to ransomware operation: 8 ▪ Attacker needs exclusive access to the decryption key ▪ Key management is complex and attackers frequently make errors ▪ Ransomware will always find victims – flaws in key management imply we can recover files without paying the ransom

Slide 9

Slide 9 text

Evolution of Key Management ▪ Hybrid encryption ▪ A Key-Management-Based Taxonomy for Ransomware – Pranshu Bajpai, Aditya K Sood, Richard Enbody https://ieeexplore.ieee.org/document/8376213/ 9

Slide 10

Slide 10 text

3. Implementation Details -How is key management implemented by ransomware? 10

Slide 11

Slide 11 text

The Windows CryptoAPI, CSPs, and CNG CryptoAPI ▪ Microsoft’s Cryptographic API (CAPI) ▪ Maliciously used by ransomware ▪ Provides cryptographic services to userland applications ▪ Cryptographic primitives are buried in DLLs and divided among CSPs ▪ Provides abstraction to programmers CSPs ▪ Cryptographic Service Providers ▪ Each CSP offers cryptographic primitives ▪ Responsible for actually implementing the CAPI ▪ CAPI is just a bridge between application and CSP – CSP is the crux of cryptographic functionality ▪ Must be signed by Microsoft CNG ▪ Cryptography API: Next Generation ▪ Started with Windows Vista ▪ Replacement for CryptoAPI 11

Slide 12

Slide 12 text

Ransomware and the CryptoAPI 12

Slide 13

Slide 13 text

Why Use the Native CryptoAPI? Ransomware developers: 13 ▪ Make design, implementation, and operation errors ▪ Frequently engage in cargo-cult programming ▪ Often end up creating ineffective ransomware that is actually scareware

Slide 14

Slide 14 text

4. Understanding the CryptoAPI functions -CryptAcquireContext -CryptGenKey -CryptEncrypt … 14

Slide 15

Slide 15 text

Place your screenshot here NotPetya Ransomware 15

Slide 16

Slide 16 text

NotPetya Ransom Message 16

Slide 17

Slide 17 text

List of Imports 17

Slide 18

Slide 18 text

List of Imports 18

Slide 19

Slide 19 text

CryptoAPI Calls 19

Slide 20

Slide 20 text

CryptAcquire Context 20

Slide 21

Slide 21 text

CryptAcquire Context ▪ Acquires handle to a key container within a CSP ▪ Returned handle use to make calls to selected CSP 21 // Get a handle to the default PROV_RSA_FULL provider if(!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, 0)) { printf("Error %x during CryptAcquireContext!\n", GetLastError()); return; }

Slide 22

Slide 22 text

CryptGenKey 22

Slide 23

Slide 23 text

CryptGenKey ▪ Generates a random symmetric key or a public- private key pair ▪ Handle is returned to the key/key-pair 23 if(CryptGenKey( hCryptProv, ENCRYPT_ALGORITHM, KEYLENGTH | CRYPT_EXPORTABLE, &hKey)) { printf("A key has been created.\n"); } else { printf("Error during CryptGenKey.\n"); exit(1); }

Slide 24

Slide 24 text

CryptEncrypt CryptDecrypt 24

Slide 25

Slide 25 text

CryptEncrypt CryptDecrypt ▪ Encrypt and decrypt data 25 ▪ Handle to the key to use for encryption and decryption ▪ Key determines the encryption and decryption algorithm deployed

Slide 26

Slide 26 text

CryptImportKey 26

Slide 27

Slide 27 text

CryptImportKey 27

Slide 28

Slide 28 text

CryptImportKey ▪ Transfers a key from a key blob to a CSP 28 if(CryptImportKey( hProv, pbKeyBlob, dwBlobLen, 0, 0, &hPubKey)) { printf("The key has been imported.\n"); }

Slide 29

Slide 29 text

CryptExportKey 29

Slide 30

Slide 30 text

CryptExportKey ▪ Securely transfers a key from CSP 30 if(CryptExportKey( hKey, NULL, dwBlobType, 0, NULL, &dwBlobLength)) //Allocate memory for public key blob if(CryptExportKey( hKey, NULL, dwBlobType, 0, *ppbKeyBlob, &dwBlobLength)) // Actual exporting into key blob

Slide 31

Slide 31 text

CryptDestroy Key 31

Slide 32

Slide 32 text

CryptDestroyKey ▪ Releases the handle to the key parameter ▪ Invalidates key and ensures it cannot be used again 32 BOOL CryptDestroyKey( HCRYPTKEY hKey );

Slide 33

Slide 33 text

CryptRelease Context 33

Slide 34

Slide 34 text

CryptRelease Context ▪ Releases the handle to the CSP 34 BOOL CryptReleaseContext( HCRYPTPROV hProv, DWORD dwFlags );

Slide 35

Slide 35 text

5. Ransomware Pseudo Code -Pseudo code pertaining to a generic modern ransomware 35

Slide 36

Slide 36 text

Ransomware Design 36 void thread_encrypt() { // main calling function ... HCRYPTKEY symKey; // handle to key HCRYPTPROV hProv = [...]; // handle to CSP symKey = generateKey(hProv); // call to key generation function encryptData(hProv, symKey); // call to file encryption procedure cleanup(symKey); // clean up procedure CryptDestroyKey(symKey); // destroy key in memory CryptReleaseContext(hProv, 0); // release handle to CSP } HCRYPTKEY generateKey(hProv) { HCRYPTKEY symmKey; // handle to key CryptGenKey(hProv, CALG_AES_128, 1u, &symmKey); // generate AES-128 key DWORD mode = CRYPT_MODE_CBC; // use CBC cipher mode CryptSetKeyParam(symmKey, KP_MODE, &mode, 0); DWORD padData = PKCS5_PADDING; // PKCS 5 padding method CryptSetKeyParam(symmKey, KP_PADDING, &padData, 0); // set the padding mode return symmKey; // return generated key } void encryptData(hProv, symKey) { for each file type F: // search for specific file types cryptFile(hProv, symKey); // locate and encrypt files } void cleanup(hProv, symKey) { HCRYPTKEY asymPubKey = getasymPubKey(hProv): //acquire RSA public key void* symKeyEncryptb64 = exportKey(symKey, asymPubKey); //encrypt and encode AES key //...write ransomnote.txt... //...write base64 encoded encrypted AES key... //... LocalFree(symKeyEncryptb64); //free allocated memory }

Slide 37

Slide 37 text

6. Conclusion -Final notes 37

Slide 38

Slide 38 text

Conclusion ▪ Assume ransomware has infiltrated host. What can we do from here? ▪ Empirical analysis suggests that many vulnerabilities lie in the key management in these ransomware ▪ Ransomware developers continually introduce design, operation, and implementation flaws ▪ Understanding key management allows us to quickly attack flaws in ransomware to recover files 38

Slide 39

Slide 39 text

Thank you! 39 Questions @amirootyet