Rad HAZU, Matematičke znanosti, Vol. 25 (2021), 1-13.

ANALYSIS OF ENCRYPTION SCHEMES IN MODERN RANSOMWARE

Roderik Ploszek, Peter Švec and Patrik Debnár

Institute of Computer Science and Mathematics, Faculty of Electrical Engineering and Information Technology, Slovak University of Technology in Bratislava, Slovakia
e-mail: roderik.ploszek@stuba.sk
e-mail: peter.svec1@stuba.sk
e-mail: xdebnar@stuba.sk

Abstract.   In the past few years, activity of ransomware increased. As new variants and families of ransomware are developed, security systems have to keep up. Well designed encryption system is at the heart of ransomware and even a small mistake in the algorithm can break it. This paper analyzes 10 ransomware samples from various families. The goal of the analysis is to describe encryption schemes used in current ransomware. This includes key generation and storage, symmetric and asymmetric ciphers and their chosen implementation.

2020 Mathematics Subject Classification.   68M25, 94A60.

Key words and phrases.   Ransomware, computer security, encryption.

Full text (PDF) (free access)

DOI: https://doi.org/10.21857/mnlqgc58gy

References:

  1. M. Akbanov and V. Vassilakis, WannaCry Ransomware: Analysis of infection, persistence, recovery prevention and propagation mechanisms, Journal of Telecommunications and Information Technology 1 (2019), 113-124.
    CrossRef

  2. ANY.RUN, Interactive Online Malware Analysis Sandbox [Online], Available at: https://app.any.run/.

  3. P. Bajpai and R. Enbody, Attacking key management in ransomware, IT Professional 22 (2) (2020), 21-27.
    CrossRef

  4. P. Bajpai and R. Enbody, Dissecting .NET ransomware: key generation, encryption and operation, Network Security 2020 (2) (2020), 8-14.
    CrossRef

  5. P. Bajpai and R. Enbody, An empirical study of key generation in cryptographic ransomware, 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), Dublin, 2020, pp. 1-8.
    CrossRef

  6. D. J. Bernstein, Salsa20 specification. eSTREAM Project algorithm description, 2005, http://www.ecrypt.eu.org/stream/salsa20pf.html.

  7. Check Point Software Technologies Ltd. Karta [Online], Available at: https://github.com/CheckPointSW/Karta.

  8. F. Cicala and E. Bertino, Analysis of encryption key generation in modern crypto ransomware, in: IEEE Transactions on Dependable and Secure Computing, 2020.
    CrossRef

  9. V. C. Craciun, A. Mogage and E. Simion, Trends in design of ransomware viruses, in: J.-L. Lanet and C. Toma (eds.), Innovative Security Solutions for Information Technology and Communications, SECITC 2018, Lecture Notes in Computer Science 11359, Springer, Cham, 2019, pp. 259-272.
    CrossRef

  10. J. Daemen and V. Rijmen, The Design of Rijndael. AES - The Advanced Encryption Standard, Springer-Verlag, Berlin, 2002.
    MathSciNet     CrossRef

  11. Elsevier, Analyze search results [Online], Scopus, Available at:
    https: //www.scopus.com/term/analyzer.uri?sid=56a6bc5b10958348ce1b177abf5dd58d& origin=resultslist&src=s&s=TITLE-ABS-KEY\%28ransomware\%29&sort=plff& sdt=b&sot=b&sl=25&count=845&analyzeResults=Analyze+results&txGid= 7a910e8c6b468a1518301b0710a09aa3.

  12. Europol, Internet Organised Crime Threat Assessment (IOCTA) [Online], Available at:
    https://www.europol.europa.eu/activities-services/main-reports/ internet-organised-crime-threat-assessment-iocta-2019.

  13. Hex Rays, IDA Pro - Hex Rays [Online], Available at: https://www.hex-rays.com/products/ida/.

  14. A. Gazet, Comparative analysis of various ransomware virii, Journal in Computer Virology 6 (2010), 77-90.
    CrossRef

  15. Ghidra [Online], Available at: https://ghidra-sre.org/.

  16. Hybrid Analysis, Free Automated Malware Analysis Service - powered by Falcon Sandbox [Online], Available at: https://www.hybrid-analysis.com/.

  17. M. Gothe IDA Signsrch [Online], Available at: https://github.com/nihilus/IDA_Signsrch.

  18. A. Palisse, H. Le Bouder, JL. Lanet, C. Le Guernic and A. Legay, Ransomware and the Legacy Crypto API, in: F. Cuppens, N. Cuppens, J.-L. Lanet and A. Legay (eds.), Risks and Security of Internet and Systems, CRiSIS 2016, Lecture Notes in Comput. Sci. 10158, Springer, Cham, 2017, pp. 11-28.
    CrossRef

  19. R. Richardson and M. North, Ransomware: Evolution, mitigation and prevention, International Management Review 13 (2017), 10-21.

  20. P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Rev. 41 (1999), 303-332.
    MathSciNet     CrossRef

  21. M. Sikorski and A. Honig, Practical malware analysis: The hands-on guide to dissecting malicious software, No Starch Press, San Francisco, 2012.

  22. ThreatTrack Security, Ghidra Function ID dataset repository [Online], Available at: https://github.com/threatrack/ghidra-fidb-repo.

Rad HAZU Home Page