Free Article -IT Pro: Attacking Key Management in Ransomware

Pranshu Bajpai Michigan State University Richard Enbody Michigan State University

Abstract

Ransomware have observed a steady growth over the years with several concerning trends that indicate efficient, targeted attacks against organizations and individuals alike. These opportunistic attackers indiscriminately target both public and private sector entities to maximize gain. In this article, we highlight the criticality of key management in ransomware's cryptosystem in order to facilitate building effective solutions against this threat. We introduce the ransomware kill chain to elucidate the path our adversaries must take to attain their malicious objective. We examine current solutions presented against ransomware in light of this kill chain and specify which constraints on ransomware are being violated by the existing solutions. Finally, we present the notion of memory attacks against ransomware's key management and present our initial experiments with dynamically extracting decryption keys from real-world ransomware. Results of our preliminary research are promising and the extracted keys were successfully deployed in subsequent data decryption.

Over the past several years, we have observed ransomware become the top cybersecurity threat against organizations and individuals alike. While the wave of modern ransomware attacks began with the spray-and-pray attacks seeking to encrypt random individual hosts, perhaps the most concerning trend now is the rise of targeted ransomware attacks that choose their victims meticulously and impact entire organizations as opposed to individuals. Consequently, the demanded ransom is increasing and has reached magnitudes of up to $1000000. Every ransomware performs four basic steps which include infiltration, acquiring a unique encryption secret, encrypting files on the host, and ultimately demanding the ransom. The encryption secret, or key, must be unique for each victim to prevent victims from sharing decryption keys among each other and neutralizing the campaign.

TRENDS IN MODERN RANSOMWARE

The cybercrime underground community has realized the magic vector for success and it includes the criticality of data and the information security poverty line. The security poverty line is a balance between an organization's security requirements and the available security budget. An organization is below the poverty line if the security requirements surpass the available budget. Ransomware operators have realized that often public sector organizations fall below this poverty line so such organizations are now targets. Any entity handling critical data with an insufficient security budget is the perfect target for these financially motivated cybercriminals.

There has been a clear shift in attack vectors over time which demonstrates the opportunistic tendencies of the cybercrime industry. Primarily, three types of attack vectors are deployed to deliver the initial ransomware infection. Social engineering is popular and includes phishing tactics to deceive the victim into clicking on a link or executing a malicious attachment. Other attack vectors are also gaining popularity. Exploitations of known vulnerabilities rose with WannaCry which exploited hosts vulnerable to the CVE-2017-0144 vulnerability. Only few months later NotPetya exploited the very same vulnerability, accentuating the need for routine and effective patch management. Finally, brute forcing remote login services is popular, especially with targeted attacks. Remote desktop protocol services with weak passwords are brute forced by the adversaries to gain unauthorized access and plant ransomware.

Not all ransomware are created cryptographically alike. Many ransomware are cryptographically flawed and joint efforts of the security research community facilitates decryptors for such ransomware (www.nomoreransom.org). Furthermore, Kharraz et al. discovered that 94% of ransomware are merely “scareware”—ransomware designed to piggyback on the success of other virulent ransomware but have no cryptographic functionality of their own. At the other end of the spectrum, are the highly potent Category 6 ransomware that have an effective cryptosystem such that access to the correct decryption key(s) is necessary for data decryption.

Ransomware resembles other crypto-software in that key management lies at the heart of its operations. Several key management models have been observed in the wild but the most virulent cryptosystem in use is illustrated in Figure 1. This hybrid cryptosystem derives its name from its use of both symmetric and asymmetric cryptographies. Symmetric encryption is much faster for bulk data encryption, but asymmetric encryption is much more flexible. Hence, a combination of the two is deployed such that a symmetric cipher, such as AES, is used for bulk data encryption and this encryption key is then encrypted with the attacker's (asymmetric) public key that came embedded in the malware.

Graphic: Hybrid encryption in modern ransomware.

Figure 1. Hybrid encryption in modern ransomware.

HYBRID CRYPTOSYSTEM IN REAL-WORLD RANSOMWARE

One hybrid example is the infamous WannaCry ransomware. This cryptosystem is outlined in the pseudocode in Algorithm 1. Here, a set of symmetric encryption keys, $S_{k} = {k_{0}, k_{1}, \dots k_{n}}$ , is created. Each of these keys pertain to a file encrypted on the host. Following file encryption, WannaCry encrypts this set $S_{k}$ with an RSA public key, $P_{k}$ , generated on the host such that only the corresponding private key, $P_{s}$ , can decrypt this set of encryption keys. This private key, $P_{s}$ , is then encrypted with the attacker's second RSA public key, $P_{A k}$ , that ships with the ransomware. In the absence of implementation flaws, this cryptosystem is unbreakable. Note that the second layer RSA key pair was likely introduced so the operators could decrypt and release the single, unique key, $P_{s}$ , to the victim upon ransom payment since this victim-specific RSA key pair was generated on the host and is unique to the host.

Result: Files encrypted!

hProv = CryptAcquireContext();

pubKey, priKey = genRSAKeyPair();

whilenextFiledo

iffileType in Fthen

symKey = CryptGenKey();

cryptFile(hProv, symKey);

encryptedsymKey = encryptKey(symKey,pubKey);

DeleteFile();

CryptDestroyKey(symKey);

malwarepubKey = CryptImportKey();

encryptedpriKey = encryptKey(priKey, malwarepubKey);

ransomNote();

LocalFree(priKey);

Algorithm 1. Hybrid Encryption in WannaCry

Fortunately, not all ransomware are of Category 6 and ransomware developers frequently make debilitating implementation errors. Therefore, it becomes incumbent for ransomware developers to invoke WinAPI, such as CryptoAPI calls, to minimize errors. Equipped with this knowledge, key escrow systems have been proposed that deny the perpetrators the required unique access to the decryption secret. However, there are two issues: legitimate user encryption keys could be escrowed or ransomware could carry their own cryptographic library.

CONSTRAINTS ON MODERN RANSOMWARE

Ransomware are no different from any other software in that they require certain conditions to attain the desired functionality. In cybersecurity, the concept of the cyber kill chain is the path an adversary must take in order to execute an effective attack. The constraints presented below constitute the kill chain for all ransomware. Every link in this kill chain is vital to our adversary since breaking a link breaks the entire chain. Removing one or more of these conditions will debilitate the ransomware:

C1– initial entry and execution;
C2– exclusive knowledge of a random integer;
C3– exclusive knowledge of decryption key;
C4– file access and modification privileges;
C5– denial of access to critical files; and
C6– functional payment route.

These constraints are explained as follows. Similar to other malware, ransomware seeks entry into hosts to commence infection. A wide variety of attack vectors are leveraged for this purpose (C1). Next, the ransomware can generate a unique, random integer (e.g., using CryptGenRandom) that is used to derive an encryption key. Alternatively, a key can be generated by invoking a key generation library routine on host (e.g., CryptGenKey). Clearly, in the case of symmetric encryption the secrecy of both the random integer used to derive the key (C2) and the key (C3) is paramount to successful ransom extraction. After acquiring the appropriate unique, random key, the ransomware compiles a list of files with extensions that the ransomware is seeking to encrypt. Note that ransomware typically do not encrypt system files (e.g., .dll or .sys) since encrypting these files cripples the system which would prevent the victim from paying the ransom. Next, the actual encryption commences which requires appropriate file modification privileges (C4). Ultimately, the ransomware must be able to deny access to critical data in order to gain the required leverage over the victim. For this reason, ransomware often include routines for explicitly purging all backups on the host and network (C5). For instance, volume shadow copies are removed by almost all effective ransomware. Finally, in the interest of financial gain, a functional payment route must exist between the victim and the ransomware operator (C6). In fact, we can observe a direct correlation between the prevalence of cryptocurrency and the growth of ransomware.

Identification of these constraints enables us to focus security efforts against ransomware in light of the kill chain. Few solutions exist that target the key management constraints (C2, C3) on ransomware. Attacking our adversary's key management enables data recovery without the dependence on backup management. Acquiring the encryption key(s) enables quick data recovery options so that all five NIST cybersecurity framework functions can be satisfied as discussed further.

NIST CYBERSECURITY FRAMEWORK

The NIST cybersecurity framework proposes five core functions that need to be performed concurrently to attain the desired state of security (www.nist.gov/cyberframework). These core functions are: identify, protect, detect, respond, and recover. In the context of ransomware, and malware in general, the bulk of the defense efforts are focused on the identification, protection, and detection functions. For instance, antimalware software and firewalls serve the protect and detect functions. A comprehensive approach is a defense-in-depth strategy that incorporates all five of the NIST functions. Particularly, more effort is needed toward response and recovery. Presently, maintaining complete and regular backups is the only practical solution that serves the recovery phase. However, since backups as a solution have existed for a while and the issue of ransomware persists, the need for furthering response and recovery solutions against ransomware is apparent. Backups simply cannot be solely relied upon as a defense against ransomware. In theory, backups offer the perfect solution, but, in practice, backups are often unavailable, partial, and infrequent. Apart from backups, successful “piracy” of the encryption key(s) is the only viable recovery option against ransomware.

A comparison of existing solutions against ransomware is summarized in Table 1. Table 1 shows where each solution stands with respect to the NIST cybersecurity framework and violated constraints. Most solutions such as Redemption, R-Locker, UNVEIL, and Microsoft's Controlled Folder Access (CFA) focus on the behavioral patterns of ransomware, thus utilizing constraint C4—a ransomware must access and modify files to encrypt them. PayBreak stands out as the only solution that attacks key management in ransomware and attempts to duplicate the encryption key. However, it can be easily circumvented by ransomware using obscure cryptographic libraries or carrying independent encryption routines within the ransomware binary. Attacking ransomware's key management (C2, C3) offers a promising, resource-efficient solution against ransomware.

Table 1. Comparison of proposed solutions against ransomware.

MEMORY ATTACKS AGAINST RANSOMWARE

Conventional implementations of encryption routines are highly insecure when a hostile entity controls the execution environment. Cryptography is meant to protect the confidentiality of data after encryption. It is assumed that data will be encrypted on a trusted host and hence key exposure during the encryption process is not considered a weakness. For ransomware, however, this assumption becomes a vulnerability since key(s) are exposed on the victim's machine. While killing a suspicious process is an aggressive action that could lead to system instability, scanning a suspicious process's memory space for exposed keys is a measured response.

We developed a side-channel attack on the ransomware's key management to extract exposed ransomware keys from system memory during the encryption process. Identification of AES, Serpent, TwoFish keys is possible due to their respective key schedules held in memory for efficiency during the encryption process. Thus, we scan suspicious processes’ memory space for the presence of symmetric keys. While we could scan all processes for keys, that would be inefficient. The indication of a process behaving suspiciously can be derived from its behavioral characteristics (e.g., by setting up honeytrap files.) This approach enables us to extract suspicious encryption keys from memory. Next, these keys require adequate protection. Therefore, the acquired symmetric key(s) are encrypted with a user's pre-established, (asymmetric) master public key before being exported to a secure off-site database. In the event of a ransomware attack, the database could be queried for decryption keys. Note that only the owner of the host can decrypt and deploy these keys since no other entity holds the corresponding master private key.

Extracting Symmetric Keys

We infected a Windows 10 machine with strains of modern Category 6 ransomware that are equipped with an effective hybrid cryptosystem. For instance, the LockCrypt ransomware (MD5: 3CF87E475A67977AB96DFF95230F8146) utilizes the hybrid cryptosystem shown in Figure 1. LockCrypt uses the same AES key to encrypt all files. Standard static analysis of the binary reveals that AES-256 is used as the symmetric cipher to encrypt files, whereas RSA-2048 is used as the asymmetric cipher that protects the encryption key. LockCrypt makes standard CryptoAPI calls during execution, such as CryptAcquireContext and CryptGenKey, similar to Algorithm 1. There are three primary components of our attack: the trigger, the key dump routine, and the key convoy. The trigger conditions are predetermined and enable automated detection of suspicious process. Once the trigger is activated, the key dump routine scans the suspicious process's memory for the presence of encryption keys. Unlike other solutions, our trigger condition does not need to be perfect since a false positive implies we search a benign process's memory for encryption keys. This search is not resource-intensive and hence can be tolerated in the event of a false positive. Finally, any discovered encryption keys will be handed off to the key convoy which includes a pre-established master key that encrypts all discovered keys and transfers them to an off-site database.

The first version of our AES key scanning tool discovered keys in memory within seconds for ransomware written in C or C++ since the process memory size for ransomware written in these languages averaged at 15 MB. After LockCrypt posted its ransom message, we queried the database for availability of the appropriate key. The encrypted AES-256 key is then decrypted with the RSA-2048 private key that only the system owner possesses. Files were then successfully decrypted. The overall scheme of our approach is highlighted in Figure 2.

Graphic: Model depicting a side-channel attack on LockCrypt.

Figure 2. Model depicting a side-channel attack on LockCrypt.

Our memory attack is a side-channel attack on the encryption process that leverages the knowledge that the encryption process is a white box on the host system. It follows that this approach will be successful in key extraction regardless of which cryptographic API is being used by the malware and regardless of whether a cryptographic API is being used by the malware at all. So far we have successfully decrypted files encrypted by the following real-world ransomware: NotPetya, WannaCry, LockCrypt, CryptoRoger, and AutoIT.

Extracting Asymmetric Keys

WannaCry exposes its victim-specific asymmetric private key in memory which offers an alternative attack. For this demonstration, we used a later strain of WannaCry (MD5: 9c2b0a3b1f3e28ef472c8c72f93d0165). RSA keys have a specific structure in memory which simplifies our search. Identifying that pattern enabled us to extract the RSA key from the running WannaCry process. Reverse engineering the WannaCry binary reveals that its decryption tool expects the raw bytes of the correct $P_{s}$ be available as 00000000.dky in order to decrypt. After providing $P_{s}$ , extracted earlier, in the expected binary format, the WannaCry decryption tool successfully decrypted all encrypted files.

CONCLUSION

The security of the symmetric encryption key is paramount to ransomware developers. Any lapse in key management has severe consequences impacting ransom extraction. Studying our adversary's key management offers a multitude of opportunities to attack critical components of the encryption process. Furthermore, a large subset of current ransomware exclusively deploy AES for data encryption. We were able to identify the exposed AES keys in ransomware process memory with a 100% success rate during preliminary experimentation.

Ransomware pose a severe threat to organizational security and necessitate the use of defense-in-depth strategies. Our adversaries operate under tight constraints that must be capitalized on for building effective solutions. Ransomware expose sensitive cryptographic keys in memory during data encryption. Symmetric keys are extracted by recognizing the corresponding key schedules, while asymmetric keys are extracted using their deterministic structure. These keys are securely transported to an off-site database such that decryption keys are available for self-recovery in the event of a ransomware attack.

REFERENCES

1.B. Herzog and Y. Balmas, “Great crypto failures,” 2016.
2.A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda, “Cutting the gordian knot: A look under the hood of ransomware attacks,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Berlin, Germany: Springer, 2015, pp. 3–24.
3.P. Bajpai, A. K. Sood, and R. Enbody, “A key-management-based taxonomy for ransomware,” in Proc. IEEE APWG Symp. Electron. Crime Res., 2018, pp. 1–12.
4.E. Kolodenker, W. Koch, G. Stringhini, and M. Egele, “Paybreak: Defense against cryptographic ransomware,” in Proc. ACM Asia Conf. Comput. Commun. Secur., 2017, pp. 599–611.
5.J. Gómez-Hernández, L. Álvarez-González, and P. García-Teodoro, “R-locker: Thwarting ransomware action through a honeyfile-based approach,” Comput. Secur., vol. 73, pp. 389–398, 2018.
6.A. Continella, et al., “Shieldfs: A self-healing, ransomware-aware filesystem,” in Proc. 32nd Annu. Conf. Comput. Secur. Appl., 2016, pp. 336–347.
7.A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda, “{UNVEIL}: A large-scale, automated approach to detecting ransomware,” in Proc. 25th {USENIX} Secur. Symp., 2016, pp. 757–772.
8.N. Scaife, H. Carter, P. Traynor, and K. R. Butler, “Cryptolock (and drop it): Stopping ransomware attacks on user data,” in Proc. IEEE 36th Int. Conf. Distrib. Comput. Syst., 2016, pp. 303–312.
9.A. Kharraz and E. Kirda, “Redemption: Real-time protection against ransomware at end-hosts,” in International Symposium on Research in Attacks, Intrusions, and Defenses. Berlin, Germany: Springer, 2017, pp. 98–119.
10.C. Maartmann-Moe, S. E. Thorkildsen, and A. Årnes, “The persistence of memory: Forensic identification and extraction of cryptographic keys,” Digit. Investigation, vol. 6, pp. S132–S140, 2009.
11.J. A. Halderman, et al., “Lest we remember: Cold-boot attacks on encryption keys,” Commun. ACM, vol. 52, no. 5, pp. 91–98, 2009.