Artificial intelligence to assist with ransomware cryptanalysis

Presented at VB2018, Oct. 5, 2018, 10 a.m. (30 minutes).

Despite threat actors switching from crypto extortion to cryptomining - a promising new area in which to earn millions of dollars [1], overtaking, for instance, the WannaCry ransomware in number of infections [2] - it is too early to talk about the extinction of ransomware. *Cybersecurity Ventures* predicted that global costs of damage due to ransomware would exceed $11.5 billion annually by 2019 [3]. Meanwhile, the cryptocurrency hype helps criminals push even more ransomware [4]. The new ransomware-as-a-service (RaaS) GandCrab (for which a decryptor is available at [5]) showed an unexpected rise at the beginning of 2018, threatening to become the number one piece of ransomware [6] and outshine the well known RaaS players from 2016 and 2017: Cerber, Locky and Spora [7]. Waiting for a GandCrab update. The question most ransomware victims usually ask is: 'Can I decrypt my files without paying the ransom?' To answer this, it is necessary first to figure out how the ransomware encrypts the user's files. In particular: * Which crypto algorithm was used in the attack? * How does the ransomware generate the encryption key(s) and where does it store them for future decryption? * Is it possible to obtain or generate a decryption key or create a decryption tool? This is where ransomware cryptanalysis comes into play. Unfortunately, such an analysis requires significant effort on the part of an expert with specific reverse engineering skills and may take an indefinite time [8]. To assist a crypto researcher in his honourable path, artificial intelligence may come in handy. In this talk, we'll take a deep look under the hood at the top ransomware families of 2017: Locky [9], Cerber [10], Spora [11], as well as MoneroPay ransomware [12] - a fake cryptocurrency discovered at the beginning of 2018 (for which a decryptor is available at [13]). Specifically, we'll shed light on: * Encryption functions * Key generation * Structure of the encrypted file * Obfuscation techniques to protect the code against reverse engineering Artificial intelligence will help us to recognize cryptographic primitives via machine learning algorithms that will dramatically reduce the time needed for the crypto code localization and attribution during ransomware analysis where a signature-based approach does not work. This talk will appeal to fans of reverse engineering, machine learning, and ransomware analysis. [1] [https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators ](https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators) [2] [https://documents.trendmicro.com/assets/rpt/rpt-2017-Annual-Security-Roundup-The-Paradox-of-Cyberthreats.pdf ](https://documents.trendmicro.com/assets/rpt/rpt-2017-Annual-Security-Roundup-The-Paradox-of-Cyberthreats.pdf) [3] [https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/ ](https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/) [4] [https://www.fortinet.com/blog/threat-research/spritecoin-another-new-cryptocurrency-or-not.html ](https://www.fortinet.com/blog/threat-research/spritecoin-another-new-cryptocurrency-or-not.html) [5] [https://www.nomoreransom.org/en/index.html ](https://www.nomoreransom.org/en/index.html) [6] [https://twitter.com/WDSecurity/status/968270740549193730 ](https://twitter.com/WDSecurity/status/968270740549193730) [7] [https://documents.trendmicro.com/assets/rpt/rpt-2017-Annual-Security-Roundup-The-Paradox-of-Cyberthreats.pdf ](https://documents.trendmicro.com/assets/rpt/rpt-2017-Annual-Security-Roundup-The-Paradox-of-Cyberthreats.pdf) [8] [https://blog.checkpoint.com/wp-content/uploads/2016/10/GreatCryptoFailuresWhitepaper\_Draft2.pdf ](https://blog.checkpoint.com/wp-content/uploads/2016/10/GreatCryptoFailuresWhitepaper_Draft2.pdf) [9] [https://www.acronis.com/en-us/blog/posts/locky-empire-strikes-back ](https://www.acronis.com/en-us/blog/posts/locky-empire-strikes-back) [10] [https://nioguard.blogspot.com/2017/07/new-variant-of-cerber-ransomware-ferber.html ](https://nioguard.blogspot.com/2017/07/new-variant-of-cerber-ransomware-ferber.html) [11] [https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/ ](https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/) [12] [https://nioguard.blogspot.com/2018/02/decryptor-for-moneropay-ransomware.html ](https://nioguard.blogspot.com/2018/02/decryptor-for-moneropay-ransomware.html) [13]

Presenters:

  • Alexander Adamov - NioGuard Security Lab
    Alexander Adamov Alexander Adamov is the founder and CEO of NioGuard Security Lab analysing targeted attacks and ransomware to create smart cybersecurity solutions with AI. As a teacher, he develops and teaches the Advanced Malware Analysis course in universities in Ukraine and Sweden. Alexander has worked for Kaspersky Lab, Lavasoft, Samsung, Mirantis and has spoken at various security conferences and workshops such as Virus Bulletin, Kaspersky Virus Analysts Summit, OpenStack Summit, OWASP, HackIT, and BSides. @Alex_Ad

Links:

Similar Presentations: