Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Ransomware and the Legacy Crypto API

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10158))

Included in the following conference series:

Abstract

Ransomware are malicious software that encrypt their victim’s data and only return the decryption key in exchange of a ransom. After presenting their characteristics and main representatives, we introduce two original countermeasures allowing victims to decrypt their files without paying. The first one takes advantage of the weak mode of operation used by some ransomware. The second one intercept calls made to Microsoft’s Cryptographic API. Both methods must be active before the attack takes place, and none is general enough to handle all ransomware. Nevertheless our experimental results show that their combination can protect users from 50% of the active samples at our disposal.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Drive-by download is a term used to describe how a piece of malware is installed on a user’s computer without his knowledge when browsing a compromised website.

  2. 2.

    Porte-manteau of malware and advertisement.

  3. 3.

    https://www.torproject.org/.

  4. 4.

    https://geti2p.net/fr/.

  5. 5.

    http://www.kaspersky.com/internet-security-center/threats/torrentlocker-malware.

  6. 6.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0311.

  7. 7.

    see RAND_poll in crypto/rand/rand_win.c.

  8. 8.

    http://www.microsoft.com/en-us/download/details.aspx?id=18512.

  9. 9.

    HKEY_LOCAL_MACHINE\(\backslash \)SOFTWARE\(\backslash \)Microsoft\(\backslash \)Cryptography\(\backslash \)Defaults\(\backslash \)Provider.

  10. 10.

    PE: Portable Executable, Windows executable file format.

References

  1. Trend Micro. By the numbers: Ransomware rising. http://www.trendmicro.com.ph/vinfo/ph/security/news/cybercrime-and-digital-threats/by-the-numbers-ransomware-rising

  2. Paz, R.D.: Cryptowall, Teslacrypt and Locky: A Statistical Perspective. https://blog.fortinet.com/2016/03/08/cryptowall-teslacrypt-and-locky-a-statistical-perspective

  3. Abrams, L.: The week in ransomware, 24 June 2016. http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-24-2016-locky-returns-cryptxxx-apocalypse-and-more/

  4. Kaspersky. Kaspersky Security Bulletin 2015. https://securelist.com/files/2015/12/Kaspersky-Security-Bulletin-2015_FINAL_EN.pdf

  5. Lozhkin, S.: Hospitals are under attack in 2016, March 2016. https://securelist.com/blog/research/74249/hospitals-are-under-attack-in-2016

  6. Lee, S.: Ransomware Wreaking Havoc in American and Canadian Hospitals, March 2016. http://europe.newsweek.com/ransomware-wreaking-havoc-american-and-canadian-hospitals-439714?rm=eu

  7. Young, A.L., Yung, M.: Cryptovirology: Extortion-based security threats and countermeasures. In: IEEE Symposium on Security and Privacy, May 6–8, Oakland, CA, USA, pp. 129–140 (1996)

    Google Scholar 

  8. Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)

    Article  Google Scholar 

  9. Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). doi:10.1007/978-3-319-20550-2_1

    Chapter  Google Scholar 

  10. Syverson, P.: A taxonomy of replay attacks [cryptographic protocols]. In: Proceedings of Computer Security Foundations Workshop VII, CSFW 7, pp. 187–191. IEEE (1994)

    Google Scholar 

  11. Josse, S.: White-box attack context cryptovirology. J. Comput. Virol. 5(4), 321–334 (2009)

    Article  Google Scholar 

  12. Wyke, J., Ajjan, A.: Sophos: the Current State of Ransomware, December 2015. https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-ransomware.pdf?la=en

  13. Kotov, V., Rajpal, M.S..: Bromium: Understanding Crypto-Ransomware (2014). https://www.bromium.com/sites/default/files/bromium-report-ransomware.pdf

  14. Sinegubko, D.: How CTB-Locker Ransomware Uses Bitcoin and Blockchain. https://www.cryptocoinsnews.com/how-ctb-locker-ransomware-uses-bitcoin-and-blockchain/

  15. Invincea endpoint security blog: Pat Belcher. Hash Factory: New Cerber Ransomware Morphs Every 15 Seconds. https://www.invincea.com/2016/06/hash-factory-new-cerber-ransomware-morphs-every-15-seconds/

  16. National Institute of Standards and Technology. Data Encryption Standard (DES). http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

  17. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MathSciNet  MATH  Google Scholar 

  18. Miller, Victor S.: Use of elliptic curves in cryptography. In: Williams, Hugh C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). doi:10.1007/3-540-39799-X_31

    Chapter  Google Scholar 

  19. Symantec. Trojan. Synolocker, 2014. https://www.symantec.com/security_response/writeup.jsp?docid=2014-080708-1950-99

  20. Nazarov, D., Emelyanova, O.: Blackmailer: the story of Gpcode (2006). https://securelist.com/analysis/publications/36089/blackmailer-the-story-of-gpcode

  21. Jarvis, K.: SecureWorks Counter Threat UnitTM Threat Intelligence. CryptoLocker Ransomware, December 2013. https://www.secureworks.com/research/cryptolocker-ransomware

  22. Federal Bureau of Investigation (FBI). GameOver Zeus Botnet Disrupted. https://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted

  23. Allievi, A., Carter, E.: Ransomware on Steroids: Cryptowall 2.0. Cisco (2015). http://blogs.cisco.com/security/talos/cryptowall-2

  24. Klijnsma, Y.: The history of Cryptowall: a large scale cryptographic ransomware threat. https://www.cryptowalltracker.org/

  25. Léveillé, M.M.: TorrentLocker: Ransomware in a country near you (2014). http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf

  26. Lipmaa, H., Rogaway, P., Wagner, D.: CTR-mode encryption. In: First NIST Workshop on Modes of Operation (2000)

    Google Scholar 

  27. Zairon.: CTB-Locker encryption/decryption scheme in details, February 2015. https://zairon.wordpress.com/2015/02/17/ctb-locker-encryptiondecryption-scheme-in-details

  28. Bernstein, D.J.: A state-of-the-art Diffie-Hellman function. http://cr.yp.to/ecdh.html

  29. Abrams, L.: CTB-Locker for Websites: Reinventing an old Ransomware. http://www.bleepingcomputer.com/news/security/ctb-locker-for-websites-reinventing-an-old-ransomware/

  30. Talos Group. Threat Spotlight: TeslaCrypt Decrypt It Yourself, April 2015. http://blogs.cisco.com/security/talos/teslacrypt

  31. Marcos, M.: CRYPVAULT: New Crypto-ransomware Encrypts and Quarantines Files. http://blog.trendmicro.com/trendlabs-security-intelligence/crypvault-new-crypto-ransomware-encrypts-and-quarantines-files/

  32. Sinitsyn, F.: Locky: the encryptor taking the world by storm (2016). https://securelist.com/blog/research/74398/locky-the-encryptor-taking-the-world-by-storm

  33. Sinitsyn, F.: Petya: the two-in-one trojan, May 2016. https://securelist.com/blog/research/74609/petya-the-two-in-one-trojan

  34. Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008). doi:10.1007/978-3-540-68351-3_8

    Chapter  Google Scholar 

  35. Leo-stone. Hack-petya mission accomplished. https://github.com/leo-stone/hack-petya

  36. National Institute of Standards and Technology (NIST). Specification for the Advanced Encryption Standard, FIPS PUB 197, November 2001

    Google Scholar 

  37. Wikipedia. Block cipher mode of operation. https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

  38. Microsoft. Microsoft Enhanced Cryptographic Provider, FIPS 140–1 Documentation: Security Policy (2005). http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp238.pdf

  39. Hunt, G., Brubacher, D.: Detours: Binary interception of win 32 functions. In: 3rd USENIX Windows NT Symposium (1999)

    Google Scholar 

  40. Hasherezade. Look into locky ransomware. https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/

  41. Malware online repository. https://malwr.com

  42. Malware online repository. http://malwaredb.malekal.com

  43. Malware online repository. https://virusshare.com

Download references

Acknowledgments

The authors would like to thank Ronan Lashermes, Alexandre Gonzalvez and the anonymous reviewers for their valuable help and comments.

Author information

Authors and Affiliations

  1. High Security Laboratory - INRIA TAMIS, Rennes, France

    Aurélien Palisse, Hélène Le Bouder, Jean-Louis Lanet, Colas Le Guernic & Axel Legay

  2. DGA Maîtrise de l’Information, Bruz, France

    Colas Le Guernic

Authors
  1. Aurélien Palisse
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hélène Le Bouder
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jean-Louis Lanet
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Colas Le Guernic
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Axel Legay
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aurélien Palisse .

Editor information

Editors and Affiliations

  1. Telecom Bretagne , Cesson Sevigne CX, France

    Frédéric Cuppens

  2. Telecom Bretagne , Brest Cedex 3, France

    Nora Cuppens

  3. Inria , Rennes Cedex, France

    Jean-Louis Lanet

  4. Inria , Rennes Cedex, France

    Axel Legay

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Palisse, A., Le Bouder, H., Lanet, JL., Le Guernic, C., Legay, A. (2017). Ransomware and the Legacy Crypto API. In: Cuppens, F., Cuppens, N., Lanet, JL., Legay, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2016. Lecture Notes in Computer Science(), vol 10158. Springer, Cham. https://doi.org/10.1007/978-3-319-54876-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-54876-0_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-54875-3

  • Online ISBN: 978-3-319-54876-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation