| SPDX-FileCopyrightText | SPDX-License-Identifier | title | author | footer | description | keywords | color | class | style | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
© 2024 Menacit AB <foss@menacit.se> |
CC-BY-SA-4.0 |
Practical cryptography course: Cryptography in ransomware |
Joel Rangsmo <joel@menacit.se> |
© Course authors (CC BY-SA 4.0) |
Use-cases of cryptography in ransomware |
|
#ffffff |
|
section.center {
text-align: center;
}
table strong {
color: #d63030;
}
table em {
color: #2ce172;
}
|
Malware that makes files/data inaccessible, typically using encryption.
Intruders demand payment to release files/data.
Global ransomware damages are estimated to exceed $30 billion by 2023.
Basically all cryptography techniques we've talked about are involved.
The malicious code needs to be deployed somewhere, preferably on a business critical system.
Initial access brokers specialize in selling access to user accounts and systems.
Foothold is usually obtained by:
- Credential phishing
- Password leaks and reuse
- Exploitation of vulnerable systems
Various different methods to stay under the radar and avoid detection.
One is to steal or fraudulently obtain code-signing certificates.
Delete/corrupt backup archives.
Steal sensitive/embarrassing information for "double extortion".
Target firmware/lower-level code that is tricky to recover from.
Symmetric encryption of (all) files.
(En|De)cryption key is encrypted against intruder's public key.
Commonly use established standards such as AES and RSA.
Commonly use the same cryptography libraries as everyone else - crypto is hard.
So-called "ransom notes" are left of the affected systems.
Instructions describing how victims can get their data back.
Typically contains an .onion-link for more details, payment information and "customer support".
Ransom must typically be paid in a cryptocurrency.
Bitcoin and Monero are the most common options.
Cashing out safely is not easy, requires tumbling and trickery.
Organizations take security and disaster recovery way more serious these days.
RaaS is enabling specialization.
Cyber insurance has interesting side-effects.