CryptoKnight:generating and modelling compiled cryptographic primitives

Cryptovirological augmentations present an immediate, incomparable threat. Over the last decade, the substantial proliferation of crypto-ransomware has had widespread consequences for consumers and organisations alike. Established preventive measures perform well, however, the problem has not ceased. Reverse engineering potentially malicious software is a cumbersome task due to platform eccentricities and obfuscated transmutation mechanisms, hence requiring smarter, more efficient detection strategies. The following manuscript presents a novel approach for the classification of cryptographic primitives in compiled binary executables using deep learning. The model blueprint, a Dynamic Convolutional Neural Network (DCNN), is fittingly configured to learn from variable-length control flow diagnostics output from a dynamic trace. To rival the size and variability of equivalent datasets, and to adequately train our model without risking adverse exposure, a methodology for the procedural generation of synthetic cryptographic binaries is defined, using core primitives from OpenSSL with multivariate obfuscation, to draw a vastly scalable distribution. The library, CryptoKnight, rendered an algorithmic pool of AES, RC4, Blowfish, MD5 and RSA to synthesise combinable variants which automatically fed into its core model. Converging at 96% accuracy, CryptoKnight was successfully able to classify the sample pool with minimal loss and correctly identified the algorithm in a real-world crypto-ransomware applicatio

Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker

Ministerio de Economia y Competitividad, Grant/Award Number: TIN2017-83494-RAfter several years, crypto‐ransomware attacks still constitute a principal threat for individuals and organisations worldwide. Despite the fact that a number of solutions are deployed to fight against this plague, one main challenge is that of early reaction, as merely detecting its occurrence can be useless to avoid the pernicious effects of the malware. With this aim, the authors introduced in a previous work a novel antiransomware tool for Unix platforms named R‐Locker. The proposal is supported on a honeyfile‐based approach, where ‘infinite’ trap files are disseminated around the target filesystem for early detection and to effectively block the ransomware action. The authors extend here the tool with three main new contributions. First, R‐Locker is migrated to Windows platforms, where specific differences exist regarding FIFO handling. Second, the global management of the honeyfiles around the target filesystem is now improved to maximise protection. Finally, blocking suspicious ransomware is (semi)automated through the dynamic use of white‐/black‐lists. As in the original work for Unix systems, the new Windows version of R‐Locker shows high effectivity and efficiency in thwarting ransomware action.Spanish Government TIN2017-83494-

Reducing Ransomware Crime: Analysis of Victims' Payment Decisions

In this paper, the decision-making processes of victims during ransomware attacks were analysed. Forty-one ransomware attacks using qualitative data collected from organisations and police officers from cybercrime units in the UK were examined. The hypothesis tested in this paper is that victims carefully analyse the situation before deciding whether to pay a ransom. This research confirms that victims often weigh the costs and benefits of interventions before making final decisions, and that their decisions are based on a range of reasons. As ransomware attacks become more prevalent globally, the findings should be highly relevant to those developing guidance and policies to prevent or minimise ransom payments

Ransomclave:Ransomware Key Management using SGX

Modern ransomware often generate and manage cryptographic keys on the victim's machine, giving defenders an opportunity to capture exposed keys and recover encrypted data without paying the ransom. However, recent work has raised the possibility of future enclave-enhanced malware that could avoid such mitigations using emerging support for hardware-enforced secure enclaves in commodity CPUs. Nonetheless, the practicality of such enclave-enhanced malware and its potential impact on all phases of the ransomware lifecyle remain unclear. Given the demonstrated capacity of ransomware authors to innovate in order to better extort their victims (e.g. through the adoption of untraceable virtual currencies and anonymity networks), it is important to better understand the risks involved and identify potential mitigations. As a basis for comprehensive security and performance analysis of enclave-enhanced ransomware, we present RansomClave, a family of ransomware that securely manage their cryptographic keys using an enclave. We use RansomClave to explore the implications of enclave-enhanced ransomware for the key generation, encryption and key release phases of the ransomware lifecycle, and to identify potential limitations and mitigations. We propose two plausible victim models and analyse, from an attacker's perspective, how RansomClave can protect cryptographic keys from each type of victim. We find that some existing mitigations are likely to be effective during the key generation and encryption phases, but that RansomClave enables new trustless key release schemes that could potentially improve attacker's profitability and, by extension, make enclaves an attractive target for future attackers

Malware attack prevention, detection, response and recovery

The content of this document presents an in-depth study of the main current cybersecurity threats and an automated tool for managing responses to each of them. This study focuses on attacks in the banking sector, analysing the main entry channels of attackers, the attack vectors and the evolution of the attackers once inside the systems. As for the tool, based on VBA and Excel macros, it will allow to present the study at the level of the MITRE Matrix which will be explained later in this document, and through input parameters it will be able to show where its main security vulnerabilities are and if it meets the appropriate requirements to avoid most threats.El contenido de este documento presenta un estudio en profundidad de las principales amenazas actuales de ciberseguridad y una herramienta automatizada para la gestión de respuestas a cada una de ellas. Este estudio se centra en los ataques en el sector bancario, analizando los principales canales de entrada de atacantes, los vectores de ataque y la evolución de los atacantes una vez dentro de los sistemas. En cuanto a la herramienta, basada en macros VBA y Excel, permitirá presentar el estudio al nivel de la matriz MITRE que se explicará más adelante en este documento, y a través de los parámetros de entrada podrá mostrar donde están sus principales vulnerabilidades de seguridad y si cumple los requisitos apropiados para evitar la mayoría de las amenazas.El contingut d'aquest document presenta un estudi en profunditat de les principals amenaces actuals de ciberseguretat i una eina automatitzada per a la gestió de respostes a cadascuna d'elles. Aquest estudi se centra en els atacs en el sector bancari, analitzant els principals canals d'entrada d'atacants, els vectors d'atac i l'evolució dels atacants una vegada dins dels sistemes. En quant a l'eina, basada en macros VBA i Excel, permetrà presentar l'estudi al nivell de la matriu MITRE que s'explicarà més endavant en aquest document, i a través dels paràmetres d'entrada podrà mostrar on estan les seves principals vulnerabilitats de seguretat i si compleix els requisits apropiats per evitar la majoria de les amenace

RanAware, analysis and detection of ransomware on Windows systems

These past years the use of the computers increased significantly with the introduction of the home office policy caused by the pandemic. This grow has been accompanied by malware attacks and ransomware in particular. Therefore, it is mandatory to have a system able to protect, to prevent and to reduce the impact that this type of malware has in an organization. RanAware is a tool that performs an early ransomware detection based on recording file system operations. This information allows RanAware to monitor activity on the file system, collect and process statistics used to determine the presence of a ransomware in the system. After detection, RanAware handles the termination and isolation of the malicious program as well as the creation of an activity report of the ransomware operations. In addition, this project performs an evaluation of the impact that RanAware has in a system

Cyber risk management frameworks for the South African banking industry

Abstract : Information technology (IT) has proven to be critical in the operation of businesses today. The banking industry is one of the industries that are most reliant on IT. The banking industry has enjoyed greater efficiency and effectiveness in their operations owing to the widespread use of IT. However, due to IT and continuous technological advancements, new threats such as cyber risk have surfaced, and the banking industry has experienced the most cybercrime incidents. In addition to the banking industry being the most targeted by cyber-criminals, cybercrime incidents have detrimental impacts on the industry. As a result, it is crucial for banks to employ effective cyber risk management processes. The South African banking industry is required by the South African Reserve Bank (SARB) to align their cyber risk management processes to the cyber resilience guidance document issued by the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO). The CPMI–IOSCO cyber resilience guidance contains guidelines that should be addressed within a bank’s cyber risk management framework. This study seeks to establish whether the Improving Critical Infrastructure Cybersecurity (ICIC) framework addresses the guidelines contained in the CPMI–IOSCO cyber resilience guidance. The ICIC framework is effective for managing cyber risk and allows an organisation to modify it to suit its specific needs and objectives. The objective of the study is to recommend to the South African banking industry, a framework for managing cyber risks that is effective and that addresses the CPMI–IOSCO cyber resilience guidelines. The results were gathered by analysing the ICIC framework and mapping it against the CPMI–IOSCO cyber resilience guidelines. The results revealed that the ICIC framework addresses up to 71 percent of the CPMI –IOSCO cyber resilience guidelines. The study therefore recommends that instead of building a new cyber risk management framework, the South African banking industry should adopt the ICIC framework and modify it by adding the 29 percent of the CPMI –IOSCO cyber resilience guidelines not addressed by the ICIC framework. All the guidelines contained in the CPMI–IOSCO cyber resilience guidance will then be addressed within the modified ICIC framework. South African banks will also achieve effective management of cyber risks through the ICIC framework.M.Com. (Computer Auditing

On the Peace and Security Implications of Cybercrime: A Call for an Integrated Perspective

Criminal cyberattacks have skyrocketed in the past decade, with ransomware attacks during the pandemic being a prime example. While private corporations remain the main targets and headlines are often dominated by the financial cost, public institutions and services are increasingly affected. Governments across the globe are working on combatting cybercrime. However, they often do not see eye-to-eye, with geopolitical tensions complicating the search for effective multilateral remedies further. In this research report, we focus on the threat that cybercrime poses to peace and security, which is rarely addressed. We examine the potential of cybercrime to exacerbate state-internal conflicts, for example by fuelling war economies or by weakening social coherence and stability. Various actors sharing similar, possibly even identical, approaches to compromising adversarial computer systems is another threat that we assess, as it has the potential to cause unintended escalation. Similarly, cyber vigilantism and hack-backs, whether conducted by private actors or corporate entities, can also endanger state agency and the rule of law. While an international treaty, as for example currently being discussed at the UN, could be a valuable step toward curbing cybercriminal behaviour, we also reflect on possible negative side effects - from increased domestic surveillance to repression of opposition. Lastly, we argue for an integrated perspective, combining various knowledge bases and research methodologies to counter direct and indirect limitations of research, particularly pertaining to data availability but also analytical concepts