nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

No Random, No Ransom: A Key to Stop Cryptographic Ransomware

verfasst von : Ziya Alper Genç, Gabriele Lenzini, Peter Y. A. Ryan

Erschienen in: Detection of Intrusions and Malware, and Vulnerability Assessment

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

To be effective, ransomware has to implement strong encryption, and strong encryption in turn requires a good source of random numbers. Without access to true randomness, ransomware relies on the pseudo random number generators that modern Operating Systems make available to applications. With this insight, we propose a strategy to mitigate ransomware attacks that considers pseudo random number generator functions as critical resources, controls accesses on their APIs and stops unauthorized applications that call them. Our strategy, tested against 524 active real-world ransomware samples, stops 94% of them, including WannaCry, Locky, CryptoLocker and CryptoWall. Remarkably, it also nullifies NotPetya, the latest offspring of the family which so far has eluded all defenses.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel FraudBuster: Temporal Analysis and Detection of Advanced Financial Frauds

Nächstes Kapitel Hidden in Plain Sight: Filesystem View Separation for Data Integrity and Deception

https://www.nomoreransom.org/.

For the complete list, please see Chap. 8 of [12].

Calling ExitProcess can as well cause process to crash, which, eventually ends it.

VirusTotal, https://www.virustotal.com.

ViruSign, https://www.virusign.com.

Malc0de, http://malc0de.com.

Cuckoo Sandbox, https://cuckoosandbox.org.

Kernel-based Virtual Machine, https://www.linux-kvm.org/page/Main_Page.

https://en.wikipedia.org/wiki/Petya_(malware).

We have chosen to set the limit of trials to \(100\,000\) as with the current implementation of Inter-Process Communication (IPC), our setup becomes instable beyond this limit.

The list of applications may vary on different versions of Windows OS.

Debian Security Advisory: DSA-1571-1 OpenSSL - predictable random number generator, May 2008. http://www.debian.org/security/2008/dsa-1571. Accessed 17 July 2017

Juniper Networks: Out of cycle security bulletin, December 2015. https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713. Accessed 17 July 2017

Bellare, M., Brakerski, Z., Naor, M., Ristenpart, T., Segev, G., Shacham, H., Yilek, S.: Hedged public-key encryption: how to protect against bad randomness. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 232–249. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_14CrossRef

Bradner, S.: Key words for use in RFCs to Indicate Requirement Levels. BCP 14, RFC Editor, March 1997. http://www.rfc-editor.org/rfc/rfc2119.txt, http://www.rfc-editor.org/rfc/rfc2119.txt

Bromium: Understanding Crypto-Ransomware (2015). https://www.bromium.com/sites/default/files/rpt-bromium-crypto-ransomware-us-en.pdf

Chen, T.M., Abu-Nimeh, S.: Lessons from stuxnet. Computer 44(4), 91–93 (2011)CrossRef

Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., Maggi, F.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32Nd Annual Conference on Computer Security Applications, pp. 336–347. ACSAC 2016. ACM, New York (2016)

Cybersecurity Ventures: Ransomware Damage Report (2017). https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/

Dodis, Y., Ong, S.J., Prabhakaran, M., Sahai, A.: On the (im)possibility of cryptography with imperfect randomness. In: 45th Annual IEEE Symposium on Foundations of Computer Science, pp. 196–205, October 2004

10.

Douceur, J.R., Adya, A., Bolosky, W.J., Simon, D., Theimer, M.: Reclaiming space from duplicate files in a serverless distributed file system. In: Proceedings of the 22nd International Conference on Distributed Computing Systems (ICDCS 2002), pp. 617. ICDCS 2002. IEEE Computer Society, Washington, DC, USA (2002)

11.

Gammons, B.: 4 Surprising Backup Failure Statistics that Justify Additional Protection, January 2017. https://blog.barkly.com/backup-failure-statistics. Accessed 17 July 2017

12.

Howard, M., Le Blanc, D.: Writing Secure Code. Developer Best Practices, 2nd edn. Microsoft Press, Cambridge (2004)

13.

Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: Unveil: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 757–772. USENIX Association, Austin, TX (2016)

14.

Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) Research in Attacks, Intrusions, and Defenses, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_5CrossRef

15.

Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611. ASIA CCS 2017. ACM, New York (2017)

16.

Lee, K., Oh, I., Yim, K.: Ransomware-prevention technique using key backup. In: Jung, J.J., Kim, P. (eds.) Big Data Technologies and Applications, vol. 194, pp. 105–114. Springer International Publishing, Cham (2017). https://doi.org/10.1007/978-3-319-58967-1_12CrossRef

17.

Microsoft: Working with the AppInit_DLLs registry value, November 2006. https://support.microsoft.com/en-us/help/197571/working-with-theappinit-dlls-registry-value

18.

Microsoft Corporation: Windows Authenticode Portable Executable Signature Format. Technical report, March 2008. http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx

19.

Palisse, A., Le Bouder, H., Lanet, J.-L., Le Guernic, C., Legay, A.: Ransomware and the legacy Crypto API. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 11–28. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54876-0_2CrossRef

20.

Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312, June 2016

21.

Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230–253. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_11CrossRef

22.

Soeder, D., Abad, C., Acevedo, G.: Black-box assessment of pseudorandom algorithms. Black Hat USA (2013). https://media.blackhat.com/us-13/US-13-Soeder-Black-Box-Assessment-of-Pseudorandom-Algorithms-WP.pdf

23.

Szor, P.: Duqu-Threat Research and Analysis, November 2011. https://securingtomorrow.mcafee.com/wp-content/uploads/2011/10/Duqu.pdf

24.

US Department of Justice: How to Protect your Networks from Ransomware (2016). https://www.justice.gov/criminal-ccips/file/872771/download

25.

VirusTotal: Scan report, June 2017. https://virustotal.com/en/file/81fdbf04f3d0d9a85e0fbb092e257a2dda14c5d783f1c8bf3bc41038e0a78688/analysis/

Titel: No Random, No Ransom: A Key to Stop Cryptographic Ransomware
verfasst von: Ziya Alper Genç
Gabriele Lenzini
Peter Y. A. Ryan
Verlag: Springer International Publishing
Buch: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-319-93410-5

Electronic ISBN: 978-3-319-93411-2

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-319-93411-2_11

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"