Artificial intelligence to assist with ransomware cryptanalysis

Friday 5 October 10:00 - 10:30, Green room

Alexander Adamov (NioGuard Security Lab)



Despite threat actors switching from crypto extortion to cryptomining – a promising new area in which to earn millions of dollars [1], overtaking, for instance, the WannaCry ransomware in number of infections [2] – it is too early to talk about the extinction of ransomware. Cybersecurity Ventures predicted that global costs of damage due to ransomware would exceed $11.5 billion annually by 2019 [3]. Meanwhile, the cryptocurrency hype helps criminals push even more ransomware [4].

The new ransomware-as-a-service (RaaS) GandCrab (for which a decryptor is available at [5]) showed an unexpected rise at the beginning of 2018, threatening to become the number one piece of ransomware [6] and outshine the well known RaaS players from 2016 and 2017: Cerber, Locky and Spora [7]. Waiting for a GandCrab update.

The question most ransomware victims usually ask is: 'Can I decrypt my files without paying the ransom?' To answer this, it is necessary first to figure out how the ransomware encrypts the user's files. In particular:

  • Which crypto algorithm was used in the attack?
  • How does the ransomware generate the encryption key(s) and where does it store them for future decryption?
  • Is it possible to obtain or generate a decryption key or create a decryption tool?

This is where ransomware cryptanalysis comes into play. Unfortunately, such an analysis requires significant effort on the part of an expert with specific reverse engineering skills and may take an indefinite time [8]. To assist a crypto researcher in his honourable path, artificial intelligence may come in handy.

In this talk, we’ll take a deep look under the hood at the top ransomware families of 2017: Locky [9], Cerber [10], Spora [11], as well as MoneroPay ransomware [12] - a fake cryptocurrency discovered at the beginning of 2018 (for which a decryptor is available at [13]).

Specifically, we’ll shed light on:

  • Encryption functions
  • Key generation
  • Structure of the encrypted file
  • Obfuscation techniques to protect the code against reverse engineering

Artificial intelligence will help us to recognize cryptographic primitives via machine learning algorithms that will dramatically reduce the time needed for the crypto code localization and attribution during ransomware analysis where a signature-based approach does not work.

This talk will appeal to fans of reverse engineering, machine learning, and ransomware analysis.

[1] https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators

[2] https://documents.trendmicro.com/assets/rpt/rpt-2017-Annual-Security-Roundup-The-Paradox-of-Cyberthreats.pdf

[3] https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/

[4] https://www.fortinet.com/blog/threat-research/spritecoin-another-new-cryptocurrency-or-not.html

[5] https://www.nomoreransom.org/en/index.html

[6] https://twitter.com/WDSecurity/status/968270740549193730

[7] https://documents.trendmicro.com/assets/rpt/rpt-2017-Annual-Security-Roundup-The-Paradox-of-Cyberthreats.pdf

[8] https://blog.checkpoint.com/wp-content/uploads/2016/10/GreatCryptoFailuresWhitepaper_Draft2.pdf

[9] https://www.acronis.com/en-us/blog/posts/locky-empire-strikes-back

[10] https://nioguard.blogspot.com/2017/07/new-variant-of-cerber-ransomware-ferber.html

[11] https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/

[12] https://nioguard.blogspot.com/2018/02/decryptor-for-moneropay-ransomware.html

[13] https://github.com/AlexanderAda/Ransomware-Decryptors/tree/master/MoneroPay

 

 

Alexander-Adamov-web.jpg

Alexander Adamov

Alexander Adamov is the founder and CEO of NioGuard Security Lab analysing targeted attacks and ransomware to create smart cybersecurity solutions with AI. As a teacher, he develops and teaches the Advanced Malware Analysis course in universities in Ukraine and Sweden. Alexander has worked for Kaspersky Lab, Lavasoft, Samsung, Mirantis and has spoken at various security conferences and workshops such as Virus Bulletin, Kaspersky Virus Analysts Summit, OpenStack Summit, OWASP, HackIT, and BSides.

@Alex_Ad


   Download slides

Back to VB2018 Programme page

Other VB2018 papers

Levelling up: why sharing threat intelligence makes you more competitive

Michael Daniel (Cyber Threat Alliance)

Who wasn’t responsible for Olympic Destroyer?

Paul Rascagneres (Cisco Talos)
Warren Mercer (Cisco Talos)

An industry approach for unwanted software criteria and clean requirements

Alexander Vukcevic (Avira)
Jiri Sejtko (Avast)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.