NoCry: No More Secure Encryption Keys for Cryptographic Ransomware

Since the appearance of ransomware in the cyber crime scene, researchers and anti-malware companies have been offering solutions to mitigate the threat. Anti-malware solutions differ on the specific strategy they implement, and all have pros and cons. However, three requirements concern them all: their implementation must be secure, be effective, and be efficient. Recently, Genç et al. proposed to stop a specific class of ransomware, the cryptographically strong one, by blocking unauthorized calls to cryptographically secure pseudo-random number generators, which are required to build strong encryption keys. Here, in adherence to the requirements, we discuss an implementation of that solution that is more secure (with components that are not vulnerable to known attacks), more effective (with less false negatives in the class of ransomware addressed) and more efficient (with minimal false positive rate and negligible overhead) than the original, bringing its security and technological readiness to a higher level

Next Generation Cryptographic Ransomware

We are assisting at an evolution in the ecosystem of cryptoware - the malware that encrypts files and makes them unavailable unless the victim pays up. New variants are taking the place once dominated by older versions; incident reports suggest that forthcoming ransomware will be more sophisticated, disruptive, and targeted. Can we anticipate how such future generations of ransomware will work in order to start planning on how to stop them? We argue that among them there will be some which will try to defeat current anti-ransomware; thus, we can speculate over their working principle by studying the weak points in the strategies that seven of the most advanced anti-ransomware are currently implementing. We support our speculations with experiments, proving at the same time that those weak points are in fact vulnerabilities and that the future ransomware that we have imagined can be effective

Why Current Statistical Approaches to Ransomware Detection Fail

The frequent use of basic statistical techniques to detect ransomware is a popular and intuitive strategy; statistical tests can be used to identify randomness, which in turn can indicate the presence of encryption and, by extension, a ransomware attack. However, common file formats such as images and compressed data can look random from the perspective of some of these tests. In this work, we investigate the current frequent use of statistical tests in the context of ransomware detection, primarily focusing on false positive rates. The main aim of our work is to show that the current over-dependence on simple statistical tests within anti-ransomware tools can cause serious issues with the reliability and consistency of ransomware detection in the form of frequent false classifications. We determined thresholds for five key statistics frequently used in detecting randomness, namely Shannon entropy, chi-square, arithmetic mean, Monte Carlo estimation for Pi and serial correlation coefficient. We obtained a large data set of 84,327 files comprising of images, compressed data and encrypted data. We then tested these thresholds (taken from a variety of previous publications in the literature where possible) against our dataset, showing that the rate of false positives is far beyond what could be considered acceptable. False positive rates were often above 50% and even above 90% on several occasions. False negative rates were also generally between 5% and 20%, numbers which are also far too high. As a direct result of these experiments, we determine that relying on these simple statistical approaches is not good enough to detect ransomware attacks consistently. We instead recommend the exploration of higher-order statistics such as skewness and kurtosis for future ransomware detection techniques

No Random, No Ransom: A Key to Stop Cryptographic Ransomware

To be effective, ransomware has to implement strong encryption, and strong encryption in turn requires a good source of random numbers. Without access to true randomness, ransomware relies on the pseudo random number generators that modern Operating Systems make available to applications. With this insight, we propose a strategy to mitigate ransomware attacks that considers pseudo random number generator functions as critical resources, controls accesses on their APIs and stops unauthorized applications that call them. Our strategy, tested against 524 active real-world ransomware samples, stops 94% of them, including WannaCry, Locky, CryptoLocker and CryptoWall. Remarkably, it also nullifies NotPetya, the latest offspring of the family which so far has eluded all defenses

A Roadmap for Improving the Impact of Anti-Ransomware Research

Ransomware is a type of malware which restricts access to a victim’s computing resources and demands a ransom in order to restore access. This is a continually growing and costly threat across the globe, therefore efforts have been made both in academia and industry to develop techniques that can help to detect and recover from ransomware attacks. This paper aims to provide an overview of the current landscape of Windows-based anti-ransomware tools and techniques, using a clear, simple and consistent terminology in terms of Data Sources, Processing and Actions. We extensively analysed relevant literature so that, to the best of our knowledge, we had at the time covered all approaches taken to detect and recover from ransomware attacks. We grouped these techniques according to their main features as a way to understand the landscape. We then selected 15 existing anti-ransomware tools both to examine how they fit into this landscape and to compare them by aggregating their accuracy and overhead – two of the most important selection criteria of these tools – as reported by the tools’ respective authors. We were able to determine popular solutions and unexplored gaps that could lead to promising areas of anti-ransomware development. From there, we propose two novel detection techniques, namely serial byte correlation and edit distance. This paper serves as a much needed roadmap of knowledge and ideas to systematise the current landscape of anti-ransomware tools

Phytotherapies in motion: French Guiana as a case study for cross-cultural ethnobotanical hybridization

Background French Guiana is characterized by a very multicultural population, made up of formerly settled groups (Amerindians, Maroons, Creoles) and more recent migrants (mostly from Latin America and the Caribbean). It is the ideal place to try to understand the influence of intercultural exchanges on the composition of medicinal floras and the evolution of phytotherapies under the effect of cross-culturalism. Methods A combination of qualitative and quantitative methods was used. Semi-directive interviews were conducted in 12 localities of French Guiana’s coast between January 2016 and June 2017, and the responses to all closed questions collected during the survey were computerized in an Excel spreadsheet to facilitate quantitative processing. Herbarium vouchers were collected and deposited at the Cayenne Herbarium to determine Linnaean names of medicinal species mentioned by the interviewees. A list of indicator species for each cultural group considered was adapted from community ecology to this ethnobiological context, according to the Dufrêne-Legendre model, via the “labdsv” package and the “indval” function, after performing a redundancy analysis (RDA). Results A total of 205 people, belonging to 15 distinct cultural groups, were interviewed using semi-structured questionnaires. A total of 356 species (for 106 botanical families) were cited. We observed that pantropical and edible species hold a special place in these pharmacopeias. If compared to previous inventories, 31 recently introduced species can be counted. Furthermore, this study shows that the majority of the plants used are not specific to a particular group but shared by many communities. However, despite this obvious cross-culturalism of medicinal plants between the different cultural communities of French Guiana, divergent trends nevertheless appear through the importance of 29 indicator/cultural keystone species in 10 cultural groups. Finally, we have emphasized that the transmission of herbal medicine’s knowledge in French Guiana is mainly feminine and intra-cultural. Conclusion French Guianese medicinal flora is undoubtedly related to the multiple cultures that settled this territory through the last centuries. Cultural pharmacopeias are more hybrid than sometimes expected, but cultural keystone species nevertheless arise from a common background, allowing to understand, and define, the relationships between cultural groups

Des savoirs sans frontières ? Circulations et échanges de plantes et de savoirs phyto-médicaux sur la frontière franco-brésilienne

National audienc

Divergence and Convergence in Traditional Plant-Based Medicinal Practices of Haitian Migrants in Montreal, Miami and Cayenne

Migrants continue to usee their traditional herbal medicines in their new locations, but few studies have compared therapeutic practices within a diaspora spread among different countries. In order to better understand how medicinal plants and associated practices circulate in the process of transnational migrations, we examine the Haitian diaspora in the cities of Cayenne (French Guiana), Miami (United States), and Montreal (Canada). We conducted semi-structured interviews (n = 44) with Haitian migrants in all three locations, and compiled plant inventories in gardens, shops, and through interviews. Our results record a total of 185 species cited among the three localities that were sold in shops, cultivated by informants, or gathered in diverse urban spaces, demonstrating the vitality with which members of the Haitian diaspora continue to use plants from their original pharmacopoeia while highlighting marked dissimilarities among uses. The persistence of phytotherapy practices among migrant populations in different locations is fueled by transnational commercial and individual flows of medicinal plants

Suspicion de mycotoxicose provoquée par les trichothècènes chez les poulets de chair

The authors try to set up the relation between the supply of foods containing several mycotoxines of the trichotecenes family (toxine T2, néosolaniol, verrucarol, fusarenone X, trichothecine, crotocol) at about 1 to 4 ppm and some growth troubles, abnormal feathering, pigmentation deficiency for the broilers. Their demonstration is based on the inexistence of a definite infectious disease, except Gumboro disease, and on the end of the troubles with the substitution of silage maize by cribs maize.Les auteurs tentent d’établir un rapport entre la distribution d'aliments renfermant plusieurs mycotoxines de la famille des trichothécènes (toxine T2, néosolaniol, verrucarol, fusarénone X, trichothécine, crotocol) à des teneurs de l’ordre de 1 à 4 ppm et des accidents de mauvaise croissance, de manque d'emplumement et de pigmentation chez des poulets de chair. Leur démonstration s’appuie sur le fait de l'inexistence d'une maladie infectieuse définie, à l’exception de la maladie de Gumboro, et sur l’arrêt des accidents avec le remplacement du maïs des silos par du maïs de cribs.Renault Lucien, Goujet Martine, Monin Anne, Boutin G., Palisse M., Alamagny A. Suspicion de mycotoxicose provoquée par les trichothècènes chez les poulets de chair. In: Bulletin de l'Académie Vétérinaire de France tome 132 n°1, 1979. pp. 181-188