Top

Published in:

2017 | OriginalPaper | Chapter

Ransomware and the Legacy Crypto API

Authors : Aurélien Palisse, Hélène Le Bouder, Jean-Louis Lanet, Colas Le Guernic, Axel Legay

Published in: Risks and Security of Internet and Systems

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Ransomware are malicious software that encrypt their victim’s data and only return the decryption key in exchange of a ransom. After presenting their characteristics and main representatives, we introduce two original countermeasures allowing victims to decrypt their files without paying. The first one takes advantage of the weak mode of operation used by some ransomware. The second one intercept calls made to Microsoft’s Cryptographic API. Both methods must be active before the attack takes place, and none is general enough to handle all ransomware. Nevertheless our experimental results show that their combination can protect users from 50% of the active samples at our disposal.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter CLiKC: A Privacy-Mindful Approach When Sharing Data

next chapter A Formal Verification of Safe Update Point Detection in Dynamic Software Updating

Drive-by download is a term used to describe how a piece of malware is installed on a user’s computer without his knowledge when browsing a compromised website.

Porte-manteau of malware and advertisement.

https://www.torproject.org/.

https://geti2p.net/fr/.

http://www.kaspersky.com/internet-security-center/threats/torrentlocker-malware.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0311.

see RAND_poll in crypto/rand/rand_win.c.

http://www.microsoft.com/en-us/download/details.aspx?id=18512.

HKEY_LOCAL_MACHINE\(\backslash \)SOFTWARE\(\backslash \)Microsoft\(\backslash \)Cryptography\(\backslash \)Defaults\(\backslash \)Provider.

PE: Portable Executable, Windows executable file format.

Trend Micro. By the numbers: Ransomware rising. http://www.trendmicro.com.ph/vinfo/ph/security/news/cybercrime-and-digital-threats/by-the-numbers-ransomware-rising

Paz, R.D.: Cryptowall, Teslacrypt and Locky: A Statistical Perspective. https://blog.fortinet.com/2016/03/08/cryptowall-teslacrypt-and-locky-a-statistical-perspective

Abrams, L.: The week in ransomware, 24 June 2016. http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-24-2016-locky-returns-cryptxxx-apocalypse-and-more/

Kaspersky. Kaspersky Security Bulletin 2015. https://securelist.com/files/2015/12/Kaspersky-Security-Bulletin-2015_FINAL_EN.pdf

Lozhkin, S.: Hospitals are under attack in 2016, March 2016. https://securelist.com/blog/research/74249/hospitals-are-under-attack-in-2016

Lee, S.: Ransomware Wreaking Havoc in American and Canadian Hospitals, March 2016. http://europe.newsweek.com/ransomware-wreaking-havoc-american-and-canadian-hospitals-439714?rm=eu

Young, A.L., Yung, M.: Cryptovirology: Extortion-based security threats and countermeasures. In: IEEE Symposium on Security and Privacy, May 6–8, Oakland, CA, USA, pp. 129–140 (1996)

Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)CrossRef

Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). doi:10.1007/978-3-319-20550-2_1 CrossRef

10.

Syverson, P.: A taxonomy of replay attacks [cryptographic protocols]. In: Proceedings of Computer Security Foundations Workshop VII, CSFW 7, pp. 187–191. IEEE (1994)

11.

Josse, S.: White-box attack context cryptovirology. J. Comput. Virol. 5(4), 321–334 (2009)CrossRef

12.

Wyke, J., Ajjan, A.: Sophos: the Current State of Ransomware, December 2015. https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-ransomware.pdf?la=en

13.

Kotov, V., Rajpal, M.S..: Bromium: Understanding Crypto-Ransomware (2014). https://www.bromium.com/sites/default/files/bromium-report-ransomware.pdf

14.

Sinegubko, D.: How CTB-Locker Ransomware Uses Bitcoin and Blockchain. https://www.cryptocoinsnews.com/how-ctb-locker-ransomware-uses-bitcoin-and-blockchain/

15.

Invincea endpoint security blog: Pat Belcher. Hash Factory: New Cerber Ransomware Morphs Every 15 Seconds. https://www.invincea.com/2016/06/hash-factory-new-cerber-ransomware-morphs-every-15-seconds/

16.

National Institute of Standards and Technology. Data Encryption Standard (DES). http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

17.

Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefMATH

18.

Miller, Victor S.: Use of elliptic curves in cryptography. In: Williams, Hugh C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). doi:10.1007/3-540-39799-X_31 CrossRef

19.

Symantec. Trojan. Synolocker, 2014. https://www.symantec.com/security_response/writeup.jsp?docid=2014-080708-1950-99

20.

Nazarov, D., Emelyanova, O.: Blackmailer: the story of Gpcode (2006). https://securelist.com/analysis/publications/36089/blackmailer-the-story-of-gpcode

21.

Jarvis, K.: SecureWorks Counter Threat UnitTM Threat Intelligence. CryptoLocker Ransomware, December 2013. https://www.secureworks.com/research/cryptolocker-ransomware

22.

Federal Bureau of Investigation (FBI). GameOver Zeus Botnet Disrupted. https://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted

23.

Allievi, A., Carter, E.: Ransomware on Steroids: Cryptowall 2.0. Cisco (2015). http://blogs.cisco.com/security/talos/cryptowall-2

24.

Klijnsma, Y.: The history of Cryptowall: a large scale cryptographic ransomware threat. https://www.cryptowalltracker.org/

25.

Léveillé, M.M.: TorrentLocker: Ransomware in a country near you (2014). http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf

26.

Lipmaa, H., Rogaway, P., Wagner, D.: CTR-mode encryption. In: First NIST Workshop on Modes of Operation (2000)

27.

Zairon.: CTB-Locker encryption/decryption scheme in details, February 2015. https://zairon.wordpress.com/2015/02/17/ctb-locker-encryptiondecryption-scheme-in-details

28.

Bernstein, D.J.: A state-of-the-art Diffie-Hellman function. http://cr.yp.to/ecdh.html

29.

Abrams, L.: CTB-Locker for Websites: Reinventing an old Ransomware. http://www.bleepingcomputer.com/news/security/ctb-locker-for-websites-reinventing-an-old-ransomware/

30.

Talos Group. Threat Spotlight: TeslaCrypt Decrypt It Yourself, April 2015. http://blogs.cisco.com/security/talos/teslacrypt

31.

Marcos, M.: CRYPVAULT: New Crypto-ransomware Encrypts and Quarantines Files. http://blog.trendmicro.com/trendlabs-security-intelligence/crypvault-new-crypto-ransomware-encrypts-and-quarantines-files/

32.

Sinitsyn, F.: Locky: the encryptor taking the world by storm (2016). https://securelist.com/blog/research/74398/locky-the-encryptor-taking-the-world-by-storm

33.

Sinitsyn, F.: Petya: the two-in-one trojan, May 2016. https://securelist.com/blog/research/74609/petya-the-two-in-one-trojan

34.

Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008). doi:10.1007/978-3-540-68351-3_8 CrossRef

35.

Leo-stone. Hack-petya mission accomplished. https://github.com/leo-stone/hack-petya

36.

National Institute of Standards and Technology (NIST). Specification for the Advanced Encryption Standard, FIPS PUB 197, November 2001

37.

Wikipedia. Block cipher mode of operation. https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

38.

Microsoft. Microsoft Enhanced Cryptographic Provider, FIPS 140–1 Documentation: Security Policy (2005). http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp238.pdf

39.

Hunt, G., Brubacher, D.: Detours: Binary interception of win 32 functions. In: 3rd USENIX Windows NT Symposium (1999)

40.

Hasherezade. Look into locky ransomware. https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/

41.

Malware online repository. https://malwr.com

42.

Malware online repository. http://malwaredb.malekal.com

43.

Malware online repository. https://virusshare.com

Title: Ransomware and the Legacy Crypto API
Authors: Aurélien Palisse
Hélène Le Bouder
Jean-Louis Lanet
Colas Le Guernic
Axel Legay
Publisher: Springer International Publishing
Book: Risks and Security of Internet and Systems
Print ISBN: 978-3-319-54875-3

Electronic ISBN: 978-3-319-54876-0

Copyright Year: 2017
DOI: https://doi.org/10.1007/978-3-319-54876-0_2

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner