CyberSecurity 2020 - Memory Forensics Against Ransomware


Ransomware leverages the unique knowledge of the cryptographic secrets, such as an encryption key, for ransom extraction. Therefore, acquiring the decryption key via exploitation of weak cryptographic implementations or side-channel attacks allows data restoration without the requirement of ransom payment. In this paper, we examine the effectiveness of physical memory forensics against ransomware to recover raw symmetric and asymmetric keys and demonstrate file decryption against several real-world ransomware. Furthermore, we deploy our own virulent ransomware that are equipped with an effective hybrid cryptosystem to explore the limits of such memory-based side-channel attacks on ransomware. Our results indicate that cryptographic keys can be discovered during encryption in the ransomware process memory for durations long enough to facilitate complete data recovery.

Jun 15, 2020
Pranshu Bajpai
Pranshu Bajpai
Principal Staff Security Architect

PhD, Michigan State University.