Professional Documents
Culture Documents
InsomniHack 2022 Ransomware Encryption Internals
InsomniHack 2022 Ransomware Encryption Internals
Characterization
Antonio Cocomazzi
Threat Intelligence Researcher, SentinelOne
whoami
➔ Extracting Behavioral Indicators means deep knowledge -> lots of study ->
very time intensive
➔ Selected Ransomware:
◆ Babuk
◆ BlackMatter
◆ Conti
◆ Revil
Some months later…
Evolution, Trends and Unique
features
The shifts in the encryption schemes
➔ Main shift is the adoption of Elliptic-Curve Diffie-Hellman (ECDH) key
exchange algorithms instead of RSA as asymmetric encryption -> main
difference the private key is never left on the victim host neither in
encrypted form
Encrypted
Input Key Symmetric Key
Symmetric Key
Random Key
Generate Embed Generate
Encrypted
Input Key Symmetric Key
Random Key
Generate Embed Generate
Encrypted
Input Key Symmetric Key
Symmetric Key
Generate
EC Public Key
Input Key Ephemeral
Symmetric Key
Public Input
Key
ECDH Shared Key
ECDH Embed ECDH
Ephemeral Key
Key Setup Key Setup
EC Public Agreement
EC Public
Key Master Ransomware.exe Key Ephemeral
Operator
Private
EC Private Input Key
EC Private Key Ephemeral
Key Master
The shift from RSA to ECDH in Asymmetric Encryption: ECDH
secret.txt secret.txt.encrypted
EC Public Key
Input Key Ephemeral
Symmetric Key
EC Private
EC Private Key Ephemeral Destroy Key
Key Master
The shift from RSA to ECDH in Asymmetric Encryption: ECDH
secret.txt secret.txt.encrypted
EC Public Key
Input Key Ephemeral
Feature Feature
➔ Encryption Optimization ➔ Encryption Parallelization
◆ Kill unwanted Services ◆ Multi threading
Sub-features
◆ Kill unwanted Processes ◆ Synchronization
◆ Shadow Copies Deletion
◆ Kill file lock holders
◆ Increase process priority
The behavioral characterization
➔ E.g. We can keep track of these file writes with a dictionary data
structure where on the key is stored the Length of the write
operation and as a value the counter of how many times that write
with that size has been appended to a file
splintercod3@gmail.com