SlideShare a Scribd company logo

Cryptanalysis in the Time of Ransomware

Download as PPTX, PDF
M
Mark Mager

This document outlines Mark Mager's presentation on cryptanalysis of ransomware. The presentation covers the typical execution flow of ransomware, including key generation, file encryption, and leaving ransom notes. It then discusses the cryptanalysis workflow of performing dynamic and reverse engineering analysis. Specific ransomware examples are walked through, including Powerware, Nemucod, TorrentLocker, and Apocalypse. Common issues seen in ransomware crypto implementations are highlighted. The document concludes that cryptanalysis is an iterative process of testing theories and developing proofs of concept to decrypt files.

Engineering
Related topics:
Reverse Engineering
1 of 48
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Cryptanalysis in the Time of Ransomware July 28th 2017 DEF CON 25 Crypto Village Mark Mager
2  Senior Malware Researcher at Endgame  Reverse engineer and software dev  Please note: I am NOT a cryptographer  Washington, DC area  Previously at  US-CERT  CYBERCOM  Lockheed Martin  Battelle  Twitter - @magerbomb About Me
3 Agenda  Ransomware Execution Flow  Cryptanalysis Workflow  Walkthroughs • Powerware • Nemucod • TorrentLocker • Apocalypse  Research in the Field  Conclusion  Questions
4 Ransomware Execution Flow  Payload written disk and executed  Key generation / retrieval • Exchange with C2 (optional)  Enumeration / directory traversal • Files are individually encrypted • Ransom note in each directory (optional)
5 Cryptanalysis Workflow  Dynamic analysis • Observe network communications • Analyze encrypted files ∙ Magic byte sequences / watermarks ∙ Whole vs. partial encryption • Forensic artifacts on disk ∙ Reg keys, dropped files, event logs • Repeat tests multiple times ∙ Adjust environment as needed ∙ Known / chosen plaintext attacks  Reverse engineering • Identify crypto algorithm(s) used ∙ Implementation mistakes that may potentially weaken the crypto • Key generation, storage, transmission  Apply lessons learned to decrypter dev
6 Walkthroughs  Walk through ransomware encryption schemes that can be defeated  Older variants that are no longer in circulation  High level reverse engineering  Crypto implementation details • Note any differences b/w note and reality  Focus on devising POC for decrypting
Powerware
Cryptanalysis in the Time of Ransomware
Enumeration Crypto setup File write File Cleanup
10 Let’s deobfuscate this a little bit…
11 Much better! Now what sticks out?  Symmetric encryption • RijndaelManaged class (AES)  256 bit (32 byte) key  Initialization vector  Padding with zero  Cipher block chaining (CBC) mode
 Only the first 2048 bytes of the file are to be read in and encrypted  Files less than 2048 bytes are ignored  No further modifications made to the crypto object before CreateEncryptor() Deobfuscated file transformation code block
13 Back to the crypto setup…  Symmetric encryption • RijndaelManaged class (AES)  256 bit (32 byte) key  Initialization vector  Padding with zero  Cipher block chaining (CBC) mode
Cryptanalysis in the Time of Ransomware
Let’s build our own decrypter!
16
Nemucod
Cryptanalysis in the Time of Ransomware
2048 bytes max XOR static key
20 Nemucod  Asymmetric crypto • RSA-1024  XOR  Unique key generation  255 byte key • Hard-coded • Same for every file  Only the first 2048 bytes  Simple encrypter binary
How can we decrypt our files?
22
TorrentLocker
Cryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of Ransomware
Decompiled view of ctr_encrypt
libtomcrypt source code
Decompiled view of aes_encrypt
libtomcrypt source code
30 TorrentLocker  From limited reverse engineering we know… • AES • Counter (CTR) mode • libtomcrypt  Could this potentially be vulnerable? • Implementation flaws Source: “Counter Mode Security: Analysis and Recommendations”
31 TorrentLocker  A = large plaintext file of NULL bytes • Exhaust keystream (if file size limitation)  B = non-NULL plaintext (arbitrary size < than A)  ENCRYPT(A) = A’  A’ XOR A = KEYSTREAM • A = NULL bytes ∙ XOR A is redundant ・ A’ = KEYSTREAM  ENCRYPT(B) = B’  B’ XOR KEYSTREAM = B How can we test for a flawed AES-CTR implementation?
Let’s see if this holds true…
33
34 TorrentLocker  AES  Counter (CTR) mode  Static key  Static IV / nonce  2 MB file size limit  No padding • Need to consider byte alignment and determine block size to cover edge cases
Apocalypse
Cryptanalysis in the Time of Ransomware
 After viewing ciphertexts spanning multiple file types, a magic byte sequence reveals itself • 77 2A 3C D0
 After encrypting a chosen plaintext containing solely null bytes • Appears to be some repetition
39 Apocalypse  Magic byte sequence  Repetition in ciphertext • Produced from NULL byte plaintext  Ransom note doesn’t mention encryption type  Let’s proceed with reverse engineering…
 Text search in IDA Pro for XOR operations • Most XORs just clearing out registers, but two stick out in sub_40108 • Good place to start, but it’s not always this easy
 The two XORs of interest are looped over  Appears that the previously identified magic byte sequence is written by the first WriteFile call  Second WriteFile writes out the transformed buffer containing the presumably encrypted data
Cryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of Ransomware
Let’s test out the script…
45
46 Research in the Field  Tracking and reverse engineering new variants  Developing and releasing decrypters for free  BleepingComputer forums • BloodDolly  @malwarehunterteam • http://id-ransomware.malwarehunterteam.com  @malwaretech • WannaCry killswitch • https://www.malwaretech.com  @demonslay335  … and many others! Despite proliferation, researchers have kept pace
47 Conclusion  Crypto implementation issues prevalent • “Crypto is hard”  Ransom notes are not trustworthy for technical specs • Don’t believe the hype  RE and cryptanalysis / decrypter dev are not linear processes • Known / chosen plaintext attacks • Trial and error • Focus on sections where modifications occur, then dig deeper for more clues • Build out POC, then stress test and harden as needed to cover all edge cases
Thanks! Twitter - @magerbomb E-mail - mager@endgame.com

More Related Content

PDF
CNIT 141: 4. Block Ciphers
Sam Bowne
 
PDF
CNIT 141: 1. Encryption
Sam Bowne
 
PDF
CNIT 141: 6. Hash Functions
Sam Bowne
 
PDF
Block Ciphers Modes of Operation
Roman Oliynykov
 
PDF
CNIT 141 5. Stream Ciphers
Sam Bowne
 
PDF
Pyongyang Fortress
Mayank Dhiman
 
PDF
CNIT 1417. Keyed Hashing
Sam Bowne
 
PPTX
How to Secure Containers
Sysdig
 
CNIT 141: 4. Block Ciphers
Sam Bowne
 
CNIT 141: 1. Encryption
Sam Bowne
 
CNIT 141: 6. Hash Functions
Sam Bowne
 
Block Ciphers Modes of Operation
Roman Oliynykov
 
CNIT 141 5. Stream Ciphers
Sam Bowne
 
Pyongyang Fortress
Mayank Dhiman
 
CNIT 1417. Keyed Hashing
Sam Bowne
 
How to Secure Containers
Sysdig
 

What's hot (20)

PDF
CNIT 141: 1. Encryption
Sam Bowne
 
PPTX
Find the Hacker
Sysdig
 
PPTX
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
PDF
Block Cipher Modes of Operation And Cmac For Authentication
Vittorio Giovara
 
PDF
Sysdig Open Source Intro
Michael Ducy
 
PPTX
4055-841_Project_ShailendraSadh
Shailendra Sadh - CISSP
 
PDF
Authenticated Encryption Gcm Ccm
Vittorio Giovara
 
PDF
CNIT 141 6. Hash Functions
Sam Bowne
 
PDF
Software Security
Roman Oliynykov
 
PPTX
Block Cipher
Brandon Byungyong Jo
 
PPT
Block Ciphers Modes of Operation
Shafaan Khaliq Bhatti
 
PDF
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
RootedCON
 
PPT
RC4&RC5
guestff64339
 
PPTX
Malware analysis using volatility
Yashashree Gund
 
PDF
Unpack your troubles*: .NET packer tricks and countermeasures
ESET
 
PDF
Sysdig Tokyo Meetup 2018 02-27
Michael Ducy
 
PPT
13528 l8
ridhika_gulati
 
PPTX
I mage encryption using rc5
Suramrit Singh
 
PDF
Bootkits: Past, Present & Future - Virus Bulletin
ESET
 
PDF
Kalyna block cipher presentation in English
Roman Oliynykov
 
CNIT 141: 1. Encryption
Sam Bowne
 
Find the Hacker
Sysdig
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
Block Cipher Modes of Operation And Cmac For Authentication
Vittorio Giovara
 
Sysdig Open Source Intro
Michael Ducy
 
4055-841_Project_ShailendraSadh
Shailendra Sadh - CISSP
 
Authenticated Encryption Gcm Ccm
Vittorio Giovara
 
CNIT 141 6. Hash Functions
Sam Bowne
 
Software Security
Roman Oliynykov
 
Block Cipher
Brandon Byungyong Jo
 
Block Ciphers Modes of Operation
Shafaan Khaliq Bhatti
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
RootedCON
 
RC4&RC5
guestff64339
 
Malware analysis using volatility
Yashashree Gund
 
Unpack your troubles*: .NET packer tricks and countermeasures
ESET
 
Sysdig Tokyo Meetup 2018 02-27
Michael Ducy
 
13528 l8
ridhika_gulati
 
I mage encryption using rc5
Suramrit Singh
 
Bootkits: Past, Present & Future - Virus Bulletin
ESET
 
Kalyna block cipher presentation in English
Roman Oliynykov
 
Ad

Similar to Cryptanalysis in the Time of Ransomware (20)

DOCX
Discussion Question Contrast file encryption and volume encryptio.docx
JeniceStuckeyoo
 
PPTX
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
PDF
CNIT 126: 13: Data Encoding
Sam Bowne
 
PDF
CNIT 126 13: Data Encoding
Sam Bowne
 
PPTX
Ch02 NetSec5e Network Security Essential Chapter 2.pptx
ridozulfahmi1
 
PDF
Image and text Encryption using RSA algorithm in java
PiyushPatil73
 
PDF
Practical Malware Analysis Ch13
Sam Bowne
 
PDF
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
PDF
Linux Kernel Cryptographic API and Use Cases
Kernel TLV
 
PDF
Aes jul-upload
Setia Juli Irzal Ismail
 
PPT
symet.crypto.hill.cipher.2023.ppt
halosidiq1
 
PDF
When AES(☢) = ☠ - Episode V
Ange Albertini
 
PDF
Searchable Encryption Systems
Christopher Frenz
 
PDF
DEFCON 23 - Eijah - crypto for hackers
Felipe Prado
 
PPTX
A study of cryptography for satellite applications
Rajesh Ishida
 
PDF
paper5.pdf
aminasouyah
 
PDF
doc5.pdf
aminasouyah
 
PDF
doc5.pdf
aminasouyah
 
PDF
lecture4.pdf
aminasouyah
 
PDF
sheet5.pdf
aminasouyah
 
Discussion Question Contrast file encryption and volume encryptio.docx
JeniceStuckeyoo
 
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
CNIT 126: 13: Data Encoding
Sam Bowne
 
CNIT 126 13: Data Encoding
Sam Bowne
 
Ch02 NetSec5e Network Security Essential Chapter 2.pptx
ridozulfahmi1
 
Image and text Encryption using RSA algorithm in java
PiyushPatil73
 
Practical Malware Analysis Ch13
Sam Bowne
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
Linux Kernel Cryptographic API and Use Cases
Kernel TLV
 
Aes jul-upload
Setia Juli Irzal Ismail
 
symet.crypto.hill.cipher.2023.ppt
halosidiq1
 
When AES(☢) = ☠ - Episode V
Ange Albertini
 
Searchable Encryption Systems
Christopher Frenz
 
DEFCON 23 - Eijah - crypto for hackers
Felipe Prado
 
A study of cryptography for satellite applications
Rajesh Ishida
 
paper5.pdf
aminasouyah
 
doc5.pdf
aminasouyah
 
doc5.pdf
aminasouyah
 
lecture4.pdf
aminasouyah
 
sheet5.pdf
aminasouyah
 
Ad

Recently uploaded (20)

PDF
737-MAX_SRG.pdf student reference guides
ssusere2119a1
 
PPTX
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
PDF
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PDF
Unit I ESSENTIAL OF DIGITAL MARKETING.pdf
Nitin Shelake
 
PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PPTX
Artificial Intelligence
dikshendrasarpate2
 
PDF
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PPTX
Current and future trends in Computer Vision.pptx
Subramanyam Natarajan
 
PPTX
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
737-MAX_SRG.pdf student reference guides
ssusere2119a1
 
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
Sustainable Sites - Green Building Construction
mhdumerali
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Unit I ESSENTIAL OF DIGITAL MARKETING.pdf
Nitin Shelake
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
Artificial Intelligence
dikshendrasarpate2
 
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
Current and future trends in Computer Vision.pptx
Subramanyam Natarajan
 
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
Project quality management in manufacturing
BarMusaTetik
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 

Cryptanalysis in the Time of Ransomware

  • 1. Cryptanalysis in the Time of Ransomware July 28th 2017 DEF CON 25 Crypto Village Mark Mager
  • 2. 2  Senior Malware Researcher at Endgame  Reverse engineer and software dev  Please note: I am NOT a cryptographer  Washington, DC area  Previously at  US-CERT  CYBERCOM  Lockheed Martin  Battelle  Twitter - @magerbomb About Me
  • 3. 3 Agenda  Ransomware Execution Flow  Cryptanalysis Workflow  Walkthroughs • Powerware • Nemucod • TorrentLocker • Apocalypse  Research in the Field  Conclusion  Questions
  • 4. 4 Ransomware Execution Flow  Payload written disk and executed  Key generation / retrieval • Exchange with C2 (optional)  Enumeration / directory traversal • Files are individually encrypted • Ransom note in each directory (optional)
  • 5. 5 Cryptanalysis Workflow  Dynamic analysis • Observe network communications • Analyze encrypted files ∙ Magic byte sequences / watermarks ∙ Whole vs. partial encryption • Forensic artifacts on disk ∙ Reg keys, dropped files, event logs • Repeat tests multiple times ∙ Adjust environment as needed ∙ Known / chosen plaintext attacks  Reverse engineering • Identify crypto algorithm(s) used ∙ Implementation mistakes that may potentially weaken the crypto • Key generation, storage, transmission  Apply lessons learned to decrypter dev
  • 6. 6 Walkthroughs  Walk through ransomware encryption schemes that can be defeated  Older variants that are no longer in circulation  High level reverse engineering  Crypto implementation details • Note any differences b/w note and reality  Focus on devising POC for decrypting
  • 10. 10 Let’s deobfuscate this a little bit…
  • 11. 11 Much better! Now what sticks out?  Symmetric encryption • RijndaelManaged class (AES)  256 bit (32 byte) key  Initialization vector  Padding with zero  Cipher block chaining (CBC) mode
  • 12.  Only the first 2048 bytes of the file are to be read in and encrypted  Files less than 2048 bytes are ignored  No further modifications made to the crypto object before CreateEncryptor() Deobfuscated file transformation code block
  • 13. 13 Back to the crypto setup…  Symmetric encryption • RijndaelManaged class (AES)  256 bit (32 byte) key  Initialization vector  Padding with zero  Cipher block chaining (CBC) mode
  • 15. Let’s build our own decrypter!
  • 16. 16
  • 19. 2048 bytes max XOR static key
  • 20. 20 Nemucod  Asymmetric crypto • RSA-1024  XOR  Unique key generation  255 byte key • Hard-coded • Same for every file  Only the first 2048 bytes  Simple encrypter binary
  • 21. How can we decrypt our files?
  • 22. 22
  • 26. Decompiled view of ctr_encrypt
  • 28. Decompiled view of aes_encrypt
  • 30. 30 TorrentLocker  From limited reverse engineering we know… • AES • Counter (CTR) mode • libtomcrypt  Could this potentially be vulnerable? • Implementation flaws Source: “Counter Mode Security: Analysis and Recommendations”
  • 31. 31 TorrentLocker  A = large plaintext file of NULL bytes • Exhaust keystream (if file size limitation)  B = non-NULL plaintext (arbitrary size < than A)  ENCRYPT(A) = A’  A’ XOR A = KEYSTREAM • A = NULL bytes ∙ XOR A is redundant ・ A’ = KEYSTREAM  ENCRYPT(B) = B’  B’ XOR KEYSTREAM = B How can we test for a flawed AES-CTR implementation?
  • 32. Let’s see if this holds true…
  • 33. 33
  • 34. 34 TorrentLocker  AES  Counter (CTR) mode  Static key  Static IV / nonce  2 MB file size limit  No padding • Need to consider byte alignment and determine block size to cover edge cases
  • 37.  After viewing ciphertexts spanning multiple file types, a magic byte sequence reveals itself • 77 2A 3C D0
  • 38.  After encrypting a chosen plaintext containing solely null bytes • Appears to be some repetition
  • 39. 39 Apocalypse  Magic byte sequence  Repetition in ciphertext • Produced from NULL byte plaintext  Ransom note doesn’t mention encryption type  Let’s proceed with reverse engineering…
  • 40.  Text search in IDA Pro for XOR operations • Most XORs just clearing out registers, but two stick out in sub_40108 • Good place to start, but it’s not always this easy
  • 41.  The two XORs of interest are looped over  Appears that the previously identified magic byte sequence is written by the first WriteFile call  Second WriteFile writes out the transformed buffer containing the presumably encrypted data
  • 44. Let’s test out the script…
  • 45. 45
  • 46. 46 Research in the Field  Tracking and reverse engineering new variants  Developing and releasing decrypters for free  BleepingComputer forums • BloodDolly  @malwarehunterteam • http://id-ransomware.malwarehunterteam.com  @malwaretech • WannaCry killswitch • https://www.malwaretech.com  @demonslay335  … and many others! Despite proliferation, researchers have kept pace
  • 47. 47 Conclusion  Crypto implementation issues prevalent • “Crypto is hard”  Ransom notes are not trustworthy for technical specs • Don’t believe the hype  RE and cryptanalysis / decrypter dev are not linear processes • Known / chosen plaintext attacks • Trial and error • Focus on sections where modifications occur, then dig deeper for more clues • Build out POC, then stress test and harden as needed to cover all edge cases
  • 48. Thanks! Twitter - @magerbomb E-mail - mager@endgame.com