User menu

Accès à distance ? S'identifier sur le proxy UCLouvain

Ransomware and the Legacy Crypto API

Primary tabs

Palisse, Aurélien Le Bouder, Hélène Lanet, Jean-Louis Le Guernic, Colas Legay, Axel [UCL]

Ransomware are malicious software that encrypt their victim’s data and only return the decryption key in exchange of a ransom. After presenting their characteristics and main representatives, we introduce two original countermeasures allowing victims to decrypt their files without paying. The first one takes advantage of the weak mode of operation used by some ransomware. The second one intercept calls made to Microsoft’s Cryptographic API. Both methods must be active before the attack takes place, and none is general enough to handle all ransomware. Nevertheless our experimental results show that their combination can protect users from 50% of the active samples at our disposal.

Document type Communication à un colloque (Conference Paper) – Présentation orale avec comité de sélection
Publication date 2016
Language Anglais
Conference "The 11th International Conference on Risks and Security of Internet and Systems - CRiSIS 2016" (du 05/09/2016 au 07/09/2016)
Peer reviewed yes
Host document "Lecture Notes in Computer Science Risks and Security of Internet and Systems" (ISBN : 9783319548753)
Publisher Springer International Publishing (Cham)
Publication status Publié
Affiliation UCL - SST/ICTM/INGI - Pôle en ingénierie informatique
Links
  1. Trend Micro. By the numbers: Ransomware rising. http://www.trendmicro.com.ph/vinfo/ph/security/news/cybercrime-and-digital-threats/by-the-numbers-ransomware-rising
  2. Paz, R.D.: Cryptowall, Teslacrypt and Locky: A Statistical Perspective. https://blog.fortinet.com/2016/03/08/cryptowall-teslacrypt-and-locky-a-statistical-perspective
  3. Abrams, L.: The week in ransomware, 24 June 2016. http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-24-2016-locky-returns-cryptxxx-apocalypse-and-more/
  4. Kaspersky. Kaspersky Security Bulletin 2015. https://securelist.com/files/2015/12/Kaspersky-Security-Bulletin-2015_FINAL_EN.pdf
  5. Lozhkin, S.: Hospitals are under attack in 2016, March 2016. https://securelist.com/blog/research/74249/hospitals-are-under-attack-in-2016
  6. Lee, S.: Ransomware Wreaking Havoc in American and Canadian Hospitals, March 2016. http://europe.newsweek.com/ransomware-wreaking-havoc-american-and-canadian-hospitals-439714?rm=eu
  7. Young A., Moti Yung, Cryptovirology: extortion-based security threats and countermeasures, 10.1109/secpri.1996.502676
  8. Gazet Alexandre, Comparative analysis of various ransomware virii, 10.1007/s11416-008-0092-2
  9. Kharraz Amin, Robertson William, Balzarotti Davide, Bilge Leyla, Kirda Engin, Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, Detection of Intrusions and Malware, and Vulnerability Assessment (2015) ISBN:9783319205496 p.3-24, 10.1007/978-3-319-20550-2_1
  10. Syverson, P.: A taxonomy of replay attacks [cryptographic protocols]. In: Proceedings of Computer Security Foundations Workshop VII, CSFW 7, pp. 187–191. IEEE (1994)
  11. Josse Sébastien, White-box attack context cryptovirology, 10.1007/s11416-008-0097-x
  12. Wyke, J., Ajjan, A.: Sophos: the Current State of Ransomware, December 2015. https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-ransomware.pdf?la=en
  13. Kotov, V., Rajpal, M.S..: Bromium: Understanding Crypto-Ransomware (2014). https://www.bromium.com/sites/default/files/bromium-report-ransomware.pdf
  14. Sinegubko, D.: How CTB-Locker Ransomware Uses Bitcoin and Blockchain. https://www.cryptocoinsnews.com/how-ctb-locker-ransomware-uses-bitcoin-and-blockchain/
  15. Invincea endpoint security blog: Pat Belcher. Hash Factory: New Cerber Ransomware Morphs Every 15 Seconds. https://www.invincea.com/2016/06/hash-factory-new-cerber-ransomware-morphs-every-15-seconds/
  16. National Institute of Standards and Technology. Data Encryption Standard (DES). http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
  17. Rivest R. L., Shamir A., Adleman L., A method for obtaining digital signatures and public-key cryptosystems, 10.1145/359340.359342
  18. Miller Victor S., Use of Elliptic Curves in Cryptography, Lecture Notes in Computer Science ISBN:9783540164630 p.417-426, 10.1007/3-540-39799-x_31
  19. Symantec. Trojan. Synolocker, 2014. https://www.symantec.com/security_response/writeup.jsp?docid=2014-080708-1950-99
  20. Nazarov, D., Emelyanova, O.: Blackmailer: the story of Gpcode (2006). https://securelist.com/analysis/publications/36089/blackmailer-the-story-of-gpcode
  21. Jarvis, K.: SecureWorks Counter Threat UnitTM Threat Intelligence. CryptoLocker Ransomware, December 2013. https://www.secureworks.com/research/cryptolocker-ransomware
  22. Federal Bureau of Investigation (FBI). GameOver Zeus Botnet Disrupted. https://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted
  23. Allievi, A., Carter, E.: Ransomware on Steroids: Cryptowall 2.0. Cisco (2015). http://blogs.cisco.com/security/talos/cryptowall-2
  24. Klijnsma, Y.: The history of Cryptowall: a large scale cryptographic ransomware threat. https://www.cryptowalltracker.org/
  25. Léveillé, M.M.: TorrentLocker: Ransomware in a country near you (2014). http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf
  26. Lipmaa, H., Rogaway, P., Wagner, D.: CTR-mode encryption. In: First NIST Workshop on Modes of Operation (2000)
  27. Zairon.: CTB-Locker encryption/decryption scheme in details, February 2015. https://zairon.wordpress.com/2015/02/17/ctb-locker-encryptiondecryption-scheme-in-details
  28. Bernstein, D.J.: A state-of-the-art Diffie-Hellman function. http://cr.yp.to/ecdh.html
  29. Abrams, L.: CTB-Locker for Websites: Reinventing an old Ransomware. http://www.bleepingcomputer.com/news/security/ctb-locker-for-websites-reinventing-an-old-ransomware/
  30. Talos Group. Threat Spotlight: TeslaCrypt Decrypt It Yourself, April 2015. http://blogs.cisco.com/security/talos/teslacrypt
  31. Marcos, M.: CRYPVAULT: New Crypto-ransomware Encrypts and Quarantines Files. http://blog.trendmicro.com/trendlabs-security-intelligence/crypvault-new-crypto-ransomware-encrypts-and-quarantines-files/
  32. Sinitsyn, F.: Locky: the encryptor taking the world by storm (2016). https://securelist.com/blog/research/74398/locky-the-encryptor-taking-the-world-by-storm
  33. Sinitsyn, F.: Petya: the two-in-one trojan, May 2016. https://securelist.com/blog/research/74609/petya-the-two-in-one-trojan
  34. Bernstein Daniel J., The Salsa20 Family of Stream Ciphers, Lecture Notes in Computer Science ISBN:9783540683506 p.84-97, 10.1007/978-3-540-68351-3_8
  35. Leo-stone. Hack-petya mission accomplished. https://github.com/leo-stone/hack-petya
  36. National Institute of Standards and Technology (NIST). Specification for the Advanced Encryption Standard, FIPS PUB 197, November 2001
  37. Wikipedia. Block cipher mode of operation. https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
  38. Microsoft. Microsoft Enhanced Cryptographic Provider, FIPS 140–1 Documentation: Security Policy (2005). http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp238.pdf
  39. Hunt, G., Brubacher, D.: Detours: Binary interception of win 32 functions. In: 3rd USENIX Windows NT Symposium (1999)
  40. Hasherezade. Look into locky ransomware. https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
  41. Malware online repository. https://malwr.com
  42. Malware online repository. http://malwaredb.malekal.com
  43. Malware online repository. https://virusshare.com
Bibliographic reference Palisse, Aurélien ; Le Bouder, Hélène ; Lanet, Jean-Louis ; Le Guernic, Colas ; Legay, Axel. Ransomware and the Legacy Crypto API.The 11th International Conference on Risks and Security of Internet and Systems - CRiSIS 2016 (du 05/09/2016 au 07/09/2016). In: Lecture Notes in Computer Science Risks and Security of Internet and Systems, Springer International Publishing : Cham2016
Permanent URL https://hdl.handle.net/2078.1/210605