A Key-Management-Based Taxonomy for Ransomware Pranshu Bajpai, Aditya K Sood, Richard Enbody May 15, 2018 APWG 13th Symposium on Electronic Crime Research 

Agenda 1. Introduction 2. Key Management 3. Categorization 4. Observations and Conclusion 1 

Introduction 

About us Pranshu Bajpai PhD candidate at Michigan State University  http://cse.msu.edu/~bajpaipr/  https://twitter.com/amirootyet Aditya K Sood Security practitioner  http://adityaksood.secniche.org/ Richard Enbody Associate Professor, Computer Science and Engineering, Michigan State University  http://www.cse.msu.edu/~enbody/ 2 

The problem of ransomware • Ransomware continue to find victims — 90% of businesses have less than 90 employees • Backups work in theory but are missing, partial, or infrequent in practice • Lack of regular updates, general due diligence, poor passwords for remote services ... • Assuming ransomware will find a way in — what can be done post-infiltration? 3 

Key Management 

Why focus on key management? Key management is crucial to a cryptoviral extortion: • Attacker needs exclusive access to the decryption key • Key management is complex and attackers frequently make errors • Ransomware will always find victims — flaws in key management imply we can reverse encryption without paying ransom 4 

Evolution of key management • No encryption, no key • Key in user domain 1. Key on host machine • Key in attacker domain 1. Key on a command and control, C&C, server—single encryption 2. Decryption essentials on C&C server—hybrid encryption 5 

Common hybrid cryptosystem in ransomware • Ransomware compromises host • Generates symmetric encryption key • Encrypts symmetric key with a hard-coded asymmetric key • Provides attacker a copy of encrypted symmetric key • Encrypts user data using the symmetric key • Destroys symmetric key on host • Displays ransom note 6 

Categorization 

Need for a taxonomy? • Not all ransomware are the same — vast differences based on design, operation and implementation 7 

Need for a taxonomy? • Not all ransomware are the same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant 7 

Need for a taxonomy? • Not all ransomware are the same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware 7 

Need for a taxonomy? • Not all ransomware are the same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware • Victims more likely to give into intimidation if they cannot comprehend the actual risk 7 

Need for a taxonomy? • Not all ransomware are the same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware • Victims more likely to give into intimidation if they cannot comprehend the actual risk • Need for a community-powered resource that general public can query when infected 7 

Need for a taxonomy? • Not all ransomware are the same — vast differences based on design, operation and implementation • Lack of a system that indicates current risk associated with a ransomware variant • Need for a methodology to study growth of sophistication in modern ransomware • Victims more likely to give into intimidation if they cannot comprehend the actual risk • Need for a community-powered resource that general public can query when infected • How much time and effort would/does it take to reverse the encryption without paying the ransom? 7 

The six categories of ransomware virulence Ransomware Cryptosystem Category 5 Category 6 Category 1 Category 2 Category 3 Category 4 8 

The six categories Category 1: Fakers • No actual encryption (fake scareware) • Demanded ransom before encryption 9 

The six categories Category 2: Failures • Decryption essentials extracted from binary • Derived encryption key predicted • Same key used for each infection instance • Encryption circumvented (decryption possible without key) • File restoration possible using Shadow Volume Copies 9 

The six categories Category 3: Imitators • Key recovered from file system or memory • Due diligence prevented ransomware from acquiring key • Click-and-run decrypter exists • Kill switch exists outside of attacker’s control 9 

The six categories Category 4: Followers • Decryption key recovered from a C&C server or network communications • Custom encryption algorithm used 9 

The six categories Category 5: Challengers • Decryption key recovered under specialized lab setting • Small subset of files left unencrypted 9 

The six categories Category 6: Leaders • Encryption model is seemingly flawless 9 

Categorization Ransomware Year Category Reasoning Nemucod 2016 Category 1 Displays ransom note before actual encryption AIDS 1989 Category 2 Decryption key extracted from ransomware code DirCrypt 2014 Category 2 Used same RC4 keystream for multiple files Linux.Encoder.1 2015 Category 2 Timestamp for key generation used for decryption WannaCry 2017 Category 3 Global killswitch renders ransomware ineffective CryptoDefense 2014 Category 3 Decryption key not securely deleted on host CryptoWall 2014 Category 3 Ineffective if it cannot reach the C&C server GPCoder 2005 Category 4 Weak custom encryption algorithm PowerWare 2016 Category 4 Decryption key extracted from communication with C&C Cerber 2016 Category 6 No known weakness exists in the ransomware NotPetya/GoldenEye 2017 Category 6 No known weakness exists in the ransomware Table 1: Subset of classified ransomware 10 

Observations and Conclusion 

Observations Weak variants continue to appear as late as 2018 11 

Conclusion • We assume ransomware has infiltrated host. What can we do from here? • Empirical analysis suggests that many vulnerabilities lie in the key management in these ransomware • Ransomware developers continually introduce design, operation, implementation flaws • Classification system based on key management helps us effectively differentiate between levels of severity inherent in ransomware variants • Interesting to observe if ransomware variants belonging to same malware family stay in the same category over time 12 

Questions  Questions  @amirootyet 13