{"id":56316,"date":"2017-05-18T13:22:44","date_gmt":"2017-05-18T17:22:44","guid":{"rendered":"http:\/\/www.bu.edu\/eng\/?p=56316"},"modified":"2024-03-08T15:14:46","modified_gmt":"2024-03-08T20:14:46","slug":"protection-from-ransomware-like-wannacry","status":"publish","type":"post","link":"https:\/\/www.bu.edu\/eng\/2017\/05\/18\/protection-from-ransomware-like-wannacry\/","title":{"rendered":"Protection from Ransomware like WannaCry"},"content":{"rendered":"<p class=\"post-content\">By Eugene Kolodenker<br \/>\n<em><\/em><\/p>\n<div class=\"entry-title\"><\/div>\n<div class=\"meta\"><span class=\"byline\">Eugene Kolodenker (EE BS\u00a0&#8217;12,\u00a0CE MS\u00a0&#8217;17) works in application development with a focus on cyber security systems at MITRE. This article originally appeared on Eugene Kolodenker&#8217;s blog, <a href=\"https:\/\/www.eugenekolo.com\/blog\/paybreak-generically-recovering-from-ransomware-including-wannacry\/\">Kolobyte<\/a>.<\/span><\/div>\n<div class=\"entry sc\">\n<div class=\"inline\">\n<p class=\"post-content\"><img loading=\"lazy\" src=\"\/eng\/files\/2017\/05\/wannacrygraphic-01.jpg\" alt=\"WannaCry Graphic designed by Gabriella McNevin\" width=\"599\" height=\"301\" class=\"aligncenter size-full wp-image-56419\" \/><\/p>\n<p class=\"post-content\">A system to defeat ransomware was recently developed by myself and three of my cybersecurity research colleagues: Boston University Electrical and Computer Engineering Professor\u00a0<a href=\"https:\/\/www.bu.edu\/eng\/profile\/manuel-egele\/\" data-saferedirecturl=\"https:\/\/www.google.com\/url?hl=en&amp;q=https:\/\/megele.io\/&amp;source=gmail&amp;ust=1495123660521000&amp;usg=AFQjCNEzArAuwNKJEWXeJU9RKTwgMicw8w\"><strong>Manuel Egele<\/strong><\/a>, University College London Assistant Professor\u00a0<strong><a href=\"http:\/\/www0.cs.ucl.ac.uk\/staff\/G.Stringhini\/\" data-saferedirecturl=\"https:\/\/www.google.com\/url?hl=en&amp;q=http:\/\/www0.cs.ucl.ac.uk\/staff\/G.Stringhini\/&amp;source=gmail&amp;ust=1495123660521000&amp;usg=AFQjCNFtVbgl6KOmnS6-yqShXT6T-IEWuQ\">Gianluca Stringhini<\/a>\u00a0<\/strong>and\u00a0<a href=\"http:\/\/cs-people.bu.edu\/wfkoch\/\" data-saferedirecturl=\"https:\/\/www.google.com\/url?hl=en&amp;q=http:\/\/cs-people.bu.edu\/wfkoch\/&amp;source=gmail&amp;ust=1495123660521000&amp;usg=AFQjCNHDvBwfzLlZcSAbDxtMMrK2tMNofg\"><strong>William Koch<\/strong><\/a>.<\/p>\n<p class=\"post-content\">The fruit of our labor, a paper titled\u00a0\u201c<strong><a href=\"https:\/\/eugenekolo.com\/static\/paybreak.pdf\" data-saferedirecturl=\"https:\/\/www.google.com\/url?hl=en&amp;q=https:\/\/eugenekolo.com\/static\/paybreak.pdf&amp;source=gmail&amp;ust=1495123660521000&amp;usg=AFQjCNFBcTQ-OYQ_KXts-i7KNm_G6WPw2Q\">PayBreak<\/a><\/strong>: Defense Against Crytographic Ransomware\u201d was published in\u00a0<em>ACM ASIACCS<\/em>\u00a0in early April 2017. The paper explains a novel protection system against ransomware that is capable of defeating the new global ransomware threat,\u00a0WannaCry. WannaCry has infected more than 230,000 computers in 150 countries demanding ransom payments in exchange for access to precious files. This attack is\u00a0the largest to date. I feel fortunate to work on research powerful enough to repel it.<\/p>\n<p class=\"post-content\">PayBreak works by storing all the cryptographic material used during a ransomware attack. <span>Modern ransomware uses what\u2019s called a \u201chybrid cryptosystem<\/span>,\u201d<span>\u00a0meaning each ransomed file is encrypted using a different\u00a0<\/span>key. Each key is then<span>\u00a0encrypted using another public encryption key, with the private decryption key held by the ransomware authors.\u00a0<\/span> When ransomware attacks, PayBreak records the cryptographic keys used to encrypt each file, and securely stores them. When recovery is necessary, the victim retrieves the ransom keys, and iteratively decrypts each file.<\/p>\n<\/div>\n<p class=\"post-content\"><a href=\"https:\/\/github.com\/BUseclab\/paybreak\" data-saferedirecturl=\"https:\/\/www.google.com\/url?hl=en&amp;q=https:\/\/github.com\/BUseclab\/paybreak&amp;source=gmail&amp;ust=1495123660521000&amp;usg=AFQjCNELCyLPNpCNcw0rrJwuZfIA2DqeGw\"><strong>PayBreak<\/strong><\/a>\u00a0is available on GitHub and can be installed with negligible CPU and RAM overhead.<\/p>\n<div class=\"inline\">\n<section class=\"post-content\">\n<h2 id=\"recoveringfromwannacryransomware\">Recovering from WannaCry Ransomware<\/h2>\n<p>At this point, I&#8217;ve reverse engineered and researched something like 30 ransomware families, from over 1000 samples. Wannacry isn&#8217;t really much different than every other ransomware family. Those include other infamous families like Locky, CryptoWall, CryptoLocker, and TeslaLocker.<\/p>\n<p>They all pretty much work the same way, including Wannacry. Actually, this <a href=\"https:\/\/consolia-comic.com\/comics\/ransomware\">comic<\/a> sums up the ransom process the best I&#8217;ve seen. Every successful family today encrypts each file for ransom with a new unique &#8220;session&#8221; key, and encrypts each session key with a &#8220;public&#8221; ransom key making it irrecoverable without the matching &#8220;private&#8221; key held closely by ransomware racketeers. Those session keys are generated on the host machine. This is where <a href=\"https:\/\/eugenekolo.com\/static\/paybreak.pdf\">PayBreak<\/a> shims the generation, and usage of those keys, and saves them. Meaning, the encryption of those session keys by the ransomware&#8217;s public key is pointless, and defeated.<\/p>\n<p><img src=\"https:\/\/www.eugenekolo.com\/blog\/content\/images\/2017\/05\/WannaCry_CustomAES.png\" alt=\"Custom AES by WannaCry\" \/><\/p>\n<p>The PayBreak system doesn&#8217;t rely on any specific algorithm, or cryptographic library to be used by ransomware. Actually, Wannacry implemented, or at least, statically compiled its own AES-128-CBC function. PayBreak can be configured to hook arbitrary functions, including that custom AES function, and record the parameters, such as the key, passed to it. However, a simpler approach in this case was to hook the Windows secure pseudorandom number generator function, CryptGenRandom, which the ransomware (and most others) use to create new session keys per file, and save the output of the function calls.<\/p>\n<p><img src=\"https:\/\/www.eugenekolo.com\/blog\/content\/images\/2017\/05\/WannaCry_GenRandom.png\" alt=\"Recorded Keys\" \/><\/p>\n<p>Recovering files is simply testing each of the recorded session keys with the encrypted files, until a successful decryption. Decrypting my file system of ~1000 files took 94 minutes.<\/p>\n<p>Encrypted: <a href=\"https:\/\/eugenekolo.com\/static\/Desert.jpg.WNCRY\">Desert.jpg.WNCRY<\/a><br \/>\nKey used by Wannacry: cc24d9c8388fa566456ccec745e009c8<br \/>\nDecrypted: <a href=\"https:\/\/eugenekolo.com\/static\/Desert.jpg\">Desert.jpg<\/a><\/p>\n<p>Thanks <a href=\"https:\/\/twitter.com\/jeffreycrowell\">@jeffreycrowell<\/a> for sharing a sample. The full paper can be found here: <a href=\"https:\/\/eugenekolo.com\/static\/paybreak.pdf\">https:\/\/eugenekolo.com\/static\/paybreak.pdf<\/a><br \/>\nSHA256 Hash of Sample: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c<br \/>\nWannaCry Custom AES:\u00a0<a href=\"https:\/\/gist.github.com\/eugenekolo\/fe229be2a4230cf8322bf5537e291812\">https:\/\/gist.github.com\/eugenekolo\/fe229be2a4230cf8322bf5537e291812<\/a><\/p>\n<\/section>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>By Eugene Kolodenker Eugene Kolodenker (EE BS\u00a0&#8217;12,\u00a0CE MS\u00a0&#8217;17) works in application development with a focus on cyber security systems at MITRE. This article originally appeared on Eugene Kolodenker&#8217;s blog, Kolobyte. A system to defeat ransomware was recently developed by myself and three of my cybersecurity research colleagues: Boston University Electrical and Computer Engineering Professor\u00a0Manuel Egele, [&hellip;]<\/p>\n","protected":false},"author":12641,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[236,240,907,1073,1144],"tags":[273,261,262,264],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/eng\/wp-json\/wp\/v2\/posts\/56316"}],"collection":[{"href":"https:\/\/www.bu.edu\/eng\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bu.edu\/eng\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/eng\/wp-json\/wp\/v2\/users\/12641"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/eng\/wp-json\/wp\/v2\/comments?post=56316"}],"version-history":[{"count":1,"href":"https:\/\/www.bu.edu\/eng\/wp-json\/wp\/v2\/posts\/56316\/revisions"}],"predecessor-version":[{"id":128507,"href":"https:\/\/www.bu.edu\/eng\/wp-json\/wp\/v2\/posts\/56316\/revisions\/128507"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/eng\/wp-json\/wp\/v2\/media?parent=56316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bu.edu\/eng\/wp-json\/wp\/v2\/categories?post=56316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bu.edu\/eng\/wp-json\/wp\/v2\/tags?post=56316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}