Dynamic ransomware protection using deterministic random bit generator

Proceedings of the Central European Cybersecurity Conference 2018

2018

To achieve its goals, ransomware needs to employ strong encryption, which in turn requires access to high-grade encryption keys. Over the evolution of ransomware, various techniques have been observed to accomplish the latter. Understanding the advantages and disadvantages of each method is essential to develop robust defense strategies. In this paper we explain the techniques used by ransomware to derive encryption keys and analyze the security of each approach. We argue that recovery of data might be possible if the ransomware cannot access high entropy randomness sources. As an evidence to support our theoretical results, we provide a decryptor program for a previously undefeated ransomware.

Section: Discussionmentioning

confidence: 99%

Section: Key-oriented Protection Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Security Analysis of Key Acquiring Strategies Used by Cryptographic Ransomware

Proceedings of the Central European Cybersecurity Conference 2018

2018

“…In the case of a ransomware attack, the encrypted files are tried by brute-forcing to be decrypted by retrieving the keys and other necessary parameters from the key vault. A slightly different method, Deterministic Random Bits Generator (DRBG) is proposed by Kim et al [12] to retrieve the random numbers that ransomware used after an attack. DRBG replaces the CSPRNG of the system with a back-doored PRNG.…”

Section: State Of the Art In Ransomware Defensementioning

confidence: 99%

NoCry: No More Secure Encryption Keys for Cryptographic Ransomware

Lecture Notes in Computer Science

2020

Since the appearance of ransomware in the cyber crime scene, researchers and anti-malware companies have been offering solutions to mitigate the threat. Anti-malware solutions differ on the specific strategy they implement, and all have pros and cons. However, three requirements concern them all: their implementation must be secure, be effective, and be efficient. Recently, Genç et al. proposed to stop a specific class of ransomware, the cryptographically strong one, by blocking unauthorized calls to cryptographically secure pseudo-random number generators, which are required to build strong encryption keys. Here, in adherence to the requirements, we discuss an implementation of that solution that is more secure (with components that are not vulnerable to known attacks), more effective (with less false negatives in the class of ransomware addressed) and more efficient (with minimal false positive rate and negligible overhead) than the original, bringing its security and technological readiness to a higher level.

“…Using these seed values, the keys used by ransomware are re-derived and the files are restored. In [16], Kim et al proposed this technique to mitigate ransomware. (KP-iii)escrowing encryption keys.…”

Section: Defense Techniques: the State Of The Artmentioning

confidence: 99%

Next Generation Cryptographic Ransomware

Lecture Notes in Computer Science

2018

We are assisting at an evolution in the ecosystem of cryptoware -the malware that encrypts files and makes them unavailable unless the victim pays up. New variants are taking the place once dominated by older versions; incident reports suggest that forthcoming ransomware will be more sophisticated, disruptive, and targeted. Can we anticipate how such future generations of ransomware will work in order to start planning on how to stop them? We argue that among them there will be some which will try to defeat current anti-ransomware; thus, we can speculate over their working principle by studying the weak points in the strategies that seven of the most advanced anti-ransomware are currently implementing. We support our speculations with experiments, proving at the same time that those weak points are in fact vulnerabilities and that the future ransomware that we have imagined can be effective.