We are familiar with the problem of ransomware – malicious software that seeks to encrypt user data and demand a ransom in return for the decryption key.
There are several defensive measures that help work against crypto-malware. Backups work, in theory, but are not always available or are partial. We need to realize that ransomware does, and will, continue to find victims.
These victims are not eCrime or DefCon or BSides conference attendees. Mostly, these are average computer users. In the past, ransomware developers and operators have gone for the low-hanging fruit – victims who fall for common phishing scams, expose RDP services with poor passwords, neglect security updates, etc. Targeted ransomware is now seeking bigger victims as seen in the case of the City of Atlanta.
In our paper, we assume that crypto-malware has the infiltrated host. What can be done from this point forward as a corrective measure for victims? Can we get files back without paying the ransom? Here, we realized that not every ransomware is the same. Some can be broken due to their poor cryptosystems. But which ones? We need a classification system.
How do we classify? Enter key management.
Key management is crucial for a ransomware operation. A fundamental constraint on ransomware is that the ransomware operator needs to be the sole possessor of the decryption key until the ransom is paid. Errors in key management lead to key leakage, which neutralizes the leveraging power of the attacker and hence neutralizes the ransomware campaign.
After looking at several samples, we realized that many ransomware developers are not sophisticated coders – they frequently resort to cargo-cult programming or “copy-pasting.”
Our paper discusses several key management models that we observed being deployed in crypto-malware. For example, no key or no encryption is where we (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/unearthing-ransomware-characteristics-using-classification-taxonomy/