algorithm •Visualization is your friend! 2. Checking the implementation correctness 3. Identifying the key generator •Is the key unique for each file? 4. Identifying how the key is stored
Original file Encrypted by Cerber Encrypted by Locky High entropy, no patterns visible: often: stream ciphers/chained blocks (i.e. AES CBC), rarely: RSA https://github.com/hasherezade/crypto_utils/blob/master/file2png.py Encrypted by zCrypt
Where the content is read from the file 2. Where the content is written to the file 3. Search the call to the encryption function in between 1 and 2! 4. Search from where the encryption key comes 5. Search how the key is stored after use
from malware’s memory •Save the file encrypted by the malware •Encrypt the original file by a valid implementation of the identified algorithm •Compare the results
the custom algorithm Approach: •Analyze the code and reverse the steps •Implement the decoder https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/ https://github.com/hasherezade/malware_analysis/tree/master/7ev3n
of the custom algorithm (no generic solution) •Additional data required (i.e. path to the file) https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/ https://github.com/hasherezade/malware_analysis/tree/master/7ev3n
@leo_and_stone (only in Red Petya): •Due to the specifics of the vulnerability, we can measure the progress in cracking •Genetic algorithms can be used, to make the correct key “evolve”
approach works? •Only in cases when we can measure the progress! Example: The closer we are to the correct key, the less unmatching characters we get in the verification buffer Demo of Genetic Algorithms applied: 1) Red Petya : • https://asciinema.org/a/87075 2) Green Petya : • https://asciinema.org/a/87077
•approximate the timestamp by knowing date of the ransom note and/or file modification timestamp •Validate the key by header typical for file format https://github.com/hasherezade/dma_unlocker
Unlocker https://github.com/hasherezade/dma_unlocker • Challenge: easy adding support for a new file format • Solution: Make a folder that is set of format’s samples. File name is a number of bytes to match. Some formats needs to be handled in a special way...
•Use/implement the decryption algorithm •Make a “dictionary” attack on the encrypted file (using as a dictionary set of leaked keys) https://blog.malwarebytes.com/cybercrime/2016/08/decrypting-chimera-ransomware/
go wrong •Some people still ignore the advice to not roll own crypto •Ransomware authors keep improving their products, so the decryptors have a short life span... •The most important is prevention