Tuesday 31 July 2018

VB2018: Artificial intelligence to assist with ransomware cryptanalysis



It's always very exciting for me to be able to attend and, moreover, speak at the Virus Bulletin Conference. Because, it is the oldest and the most respectful antivirus conference that has been running since 1991 where cybersecurity experts from academia and industry gather to share their ideas, research, and forecasts. You can meet the researches who helped to boost the antivirus industry decades ago and are now the core of the antivirus community.

This year in Montreal, we'll present an academic research conducted by my master student Kateryna Vitiuk under my supervision and devoted to Cryptanalysis of ransomware with the help of Artificial Intelligence.

When analyzing ransomware, we often see the hardcoded implementation of the AES, RC4, Salsa20 algorithms, for example in TeslaCrypt, Locky, GlobeImposter, MoneroPay ransomware. The ciphers' code can be poorly detected in the ransomware's memory dumps using the signature-based approach using Krypto ANALyzer (KANAL) for PEiD tool and publicly available Yara rules. Therefore, we assumed that it is possible to use the smart pattern matching method to find the known crypto primitives in the ransomware's disassembled code.

See also:
https://www.virusbulletin.com/conference/vb2018/abstracts/artificial-intelligence-assist-ransomware-cryptanalysis

Wednesday 21 March 2018

Corporate Backup Solutions Self-Defense Test - March 2018


In the light of the growing number of ransomware attacks in which cryptolockers terminate database processes to unlock the database files for encryption (Cerber, GlobeImposter, Rapid, Serpent) and can encrypt local and network backups to demand a ransom (Rapid, Spora), we decided to test self-defense capabilities of the top backup solutions used in business environments available for trial.

The test aims at testing the sustainability of product’s processes and services against typical attacks to security software described below, as well as self-protection of local backup and product’s files. Ransomware can encrypt local backup files and configuration files that belong to a backup program thereby disabling the recovery of the files. Moreover, once access to agent’s or server’s processes is gained, an attacker can delete backup copies of the files not only locally, but also in the cloud on behalf of a backup solution.

See the full report by the link.

Sunday 4 February 2018