论文信息 - Ransomware and the Legacy Crypto API

Ransomware and the Legacy Crypto API

Ransomware are malicious software that encrypt their victim’s data and only return the decryption key in exchange of a ransom. After presenting their characteristics and main representatives, we introduce two original countermeasures allowing victims to decrypt their files without paying. The first one takes advantage of the weak mode of operation used by some ransomware. The second one intercept calls made to Microsoft’s Cryptographic API. Both methods must be active before the attack takes place, and none is general enough to handle all ransomware. Nevertheless our experimental results show that their combination can protect users from 50% of the active samples at our disposal.

[1] Helger Lipmaa,et al. Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption , 2000 .

[2] Moti Yung,et al. Cryptovirology: extortion-based security threats and countermeasures , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3] Leyla Bilge,et al. Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[4] Paul F. Syverson,et al. A taxonomy of replay attacks [cryptographic protocols] , 1994, Proceedings The Computer Security Foundations Workshop VII.

[5] Daniel J. Bernstein,et al. The Salsa20 Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[6] Adi Shamir,et al. A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[7] Tibor Juhas. The use of elliptic curves in cryptography , 2007 .

[8] Sébastien Josse,et al. White-box attack context cryptovirology , 2009, Journal in Computer Virology.

[9] Galen C. Hunt,et al. Detours: binary interception of Win32 functions , 1999 .

[10] Alexandre Gazet,et al. Comparative analysis of various ransomware virii , 2010, Journal in Computer Virology.