CyberSecurity 2020 - Memory Forensics Against Ransomware

Abstract

Ransomware leverages the unique knowledge of the cryptographic secrets, such as an encryption key, for ransom extraction. Therefore, acquiring the decryption key via exploitation of weak cryptographic implementations or side-channel attacks allows data restoration without the requirement of ransom payment. In this paper, we examine the effectiveness of physical memory forensics against ransomware to recover raw symmetric and asymmetric keys and demonstrate file decryption against several real-world ransomware. Furthermore, we deploy our own virulent ransomware that are equipped with an effective hybrid cryptosystem to explore the limits of such memory-based side-channel attacks on ransomware. Our results indicate that cryptographic keys can be discovered during encryption in the ransomware process memory for durations long enough to facilitate complete data recovery.