Presentation Material

Abstract

Ransomware such as WannaCry and Petya have been heavily focused upon in the news but are their cryptographic models different from predecessors? Key management is crucial to these cryptoviral extortions and for convenience, they harness the power of resident Crypto APIs available on host. Simply stated, they command victim’s resources to lock victim’s resources. In this talk, we examine popular key management models deployed in infamous cryptovirii with the ultimate objective of providing a deeper comprehension of exactly how resident APIs are being used against users. On a Windows host, CryptoAPI (CAPI) provides cryptographic services to applications. CSPs are sets of DLLs that are associated with CAPI implementing cryptographic functions such as CryptAcquireContext, CryptGenKey, CryptEncrypt, CryptImportKey, CryptExportKey, CryptDestroyKey. In Windows Vista and later, CNG replaces CAPI and the ransomware menace persists. We explain cryptographic functions exploited by several ransomware families and explore answers to crucial questions such as how and where the encryption key is generated, where it is stored, how it is protected while encrypting user data, and how it is securely purged. We provide graphical representations combined with pseudo-codes embodying real-world Crypto API function calls pertaining to key management in ransomware. This talk delves deep into key management in present-day ransomware and is a direct result of real-world case studies of highly virulent infections. Dissections will be shown to back up the arguments.

AI Generated Summary^{may contain errors}

Here is a summary of the content:

The speaker discusses the importance of understanding key management in ransomware attacks. They explain that ransomware developers often make mistakes,<|begin_of_text|>2015 study found that only 6% of 1300 ransomware variants were effective, suggesting that mistakes can be exploited to recover files.

The speaker highlights three important steps in key management:

1. Crib Destroy Key: This function is responsible for removing the encryption key from memory and ensuring it cannot be used again.
2. Crypt Release Context: This function releases the handle to the Cryptographic Service Provider (CSP) so that no further calls can be made.

The speaker presents a generic pseudocode scheme followed by many modern ransomware variants, which includes:

1. Generating a handle to the CSP
2. Generating a symmetric key using an algorithm like AES 128-bit
3. Encrypting files using the symmetric key
4. Cleaning up and making sure the encryption key is securely stored on the victim’s machine

The speaker concludes that by understanding key management better than ransomware developers, we can quickly identify flaws and develop decrypters to recover files without paying the ransom.