Challenges in Cyber Security: Ransomware Phenomenon
Ransomware has become one of the major threats nowadays due to its huge impact and increased rate of infections around the world. According to https://www.adaware.com/blog/cryptowall-ransomware-cost-users-325-million-in- 2015, just one family, CryptoWall 3, was responsible for damages of over 325 millions of dollars, since its discovery in 2015. Recently, another family of ransomware appeared in the cyberspace which is called WannaCry, and according to https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know, over 230,000 computers around the world, in over 150 countries, were infected. This type of ransomware exploited a vulnerability which is present in the Microsoft Windows operating systems called EternalBlue, an exploit which was developed by the US National Security Agency (NSA) and released by The Shadow Brokers on April 14, 2017.
Spora ransomware is a major player in the field of ransomware families and is prepared by professionals. It has the ability to encrypt files offline like other families of ransomware, DMA Locker 3.0, Cerber, or some editions of Locky. Currently, there is no decryptor available in the market for the Spora ransomware.
Spora is distributed using phishing e-mails and infected websites which drops malicious payloads. There are some distribution methods which are presented in http://malware-traffic-analysis.net/2017/02/14/index2.html (the campaign from February 14, 2017) and http://malware-traffic-analysis.net/2017/03/06/index.html (the campaign from March 6, 2017).
Once the infection has begun, Spora runs silently and encrypts files with a specific extension, not all extensions are encrypted. This type of ransomware is interested in office documents, PDF documents, Corel Draw documents, database files, images, and archives and is important to present the entire list of extension in order to warn people about this type of attack: xls, doc, xlsx, docx, rtf, odt, pdf, psd, dwg, cdr, cd, mdb, 1cd, dbf, sqlite, accdb, jpg, jpeg, tiff, zip, rar, 7z, backup, sql, and bak. One crucial point here is that everybody can rename the files in order to avoid such infections, but the mandatory requirement is to back up the data.
Spora doesn’t add extensions to the encrypted files, which is really unusual in the case of ransomware, for example, Locky adds .locky extension, TeslaCrypt adds .aaa extension, and WannaCry appends .WNCRY extension. In this case, each file is encrypted with a separate key, and it is a nondeterministic encryption (files with an identical content are encrypted in different ciphertexts); the content which was encrypted has a high entropy and visualization of an encrypted file, which suggests that a stream cipher or chained block was used (AES in CBC mode is suggested, because of the popularity of this mode of operation in ransomware’s encryption schemes).
There are some methods which are used frequently to assure that a single copy of a malware is running, for example, the creation of a mutex, which means that the encrypted data is not encrypted again; therefore, we have a single step of encryption. Of course, there are some folders which are excluded from encryption, because the system must remain in a working state in order to make a payment, so Spora doesn’t encrypt the files which are located in the following directories: windows, program files, program files (x86), and games.
Spora uses Windows Crypto API for the whole encryption process. Firstly the malware comes with a hardcoded AES 256 key, which is being imported using CryptImportKey (the parameters which are passed to this function reveal that an AES 256 key is present). The AES key is further used to decrypt another key, which is a RSA public key, using a CryptDecrypt function (a ransom note is also decrypted using the AES key, as well as a hardcoded ID of the sample).
For every computer, Spora creates a new pair of RSA keys. This process uses the function CryptGenKey with some parameters which are specific for RSA keys, after that the private key from the pair is exported using the function CryptExportKey and Base64 encoded using the function CryptBinaryToString. A new AES 256 key is generated using CryptGenKey, is exported using CryptExportKey, and is used to encrypt the generated private RSA key (finally, the key is encrypted using the hardcoded RSA public key and stored in the ransom note). For every file a new AES key is generated which is used to encrypt the file, is encrypted using the generated public RSA key, and is stored at the end of every encrypted file.
Spora is a professional product created by skilled attackers, but the code is not obfuscated or packed, which makes the analysis a little bit easier. The implementation of cryptographic algorithms uses the Windows Crypto API and seems to be consistent; nonetheless the decryption of files is not really possible without paying the ransom. The ability to handle a complex process of encryption offline makes Spora ransomware a real danger for unprepared clients.
Ransomware usually uses the RSA algorithm to protect the encryption key and AES for encrypting the files. If these algorithms are correctly implemented, then it is impossible to recover the encrypted information.
Some attacks, nonetheless, work against the implementation of RSA. These attacks are not against the basic algorithm, but against the protocol. Examples of such attacks on RSA are chosen-ciphertext attack, common modulus attack, low encryption exponent attack, low decryption exponent attack, attack on encryption and signing with the same pair of keys, and attack in case of small difference between prime numbers p and q.
The attacks on AES implementation include ECB attack, CBC implementation without HMAC verification and oracle padding attack.
In the following sections, we present the fully analysis on three representative ransomware: Spora, DMA Locker, and WannaCry.
The authors would like to thank University Politehnica of Bucharest for the financial support.