摘要
以混合加密型勒索软件为研究对象,将设置诱饵文件和文件操作监控方法相结合,获取勒索软件文件加密过程中采用的加密密钥、加密算法、密文起始字段和密文长度等相关信息,并提出了被加密文件的还原方法。针对8个流行的勒索软件家族进行密文还原测试,测试结果表明了提出的还原方法的有效性。该密文还原方法适用于混合加密勒索软件密文还原,是现行勒索软件防御策略的有效补充。
In this paper, ransomware using hybrid pattern cryptographic system is taken as the research object. By combining decoy files and file operation monitoring, encryption key, encryption algorithm, the first few bytes of cipher text,the size of cipher text and other details while ransomware encrypting files can be obtained, and this paper proposes a new file recovery approach. This paper evaluates the file recovery approach against 8 active ransomware families, and the results show that the file recovery approach proposed in this paper is effective. The file recovery approach is suitable for file recovery, which is an effective complement to fill the gap in current strategy of ransomware defense.
引文
[1]崔翔.网络安全新威胁勒索软件(Ransom Ware)的防范与应对[J].信息网络安全,2006(7):67-69.
[2]商小阙,柳斌,严威川.勒索软件:一场卑劣的金钱游戏[J].信息安全与通信保密,2016(11):68-80.
[3]Young A,Yung M.Cryptovirology:extortion-based security threats and countermeasures[C]//1996 IEEE Symposium on Security and Privacy,2002:129.
[4]Young A L.Cryptoviral extortion using Microsoft’s Crypto API[J].International Journal of Information Security,2006,5(2):67-76.
[5]安天安全研究与应急处理中心.勒索软件简史[J].中国信息安全,2017(4).
[6]Young A L,Yung M.Cryptovirology:the birth,neglect,and explosion of ransomware[J].Communications of the ACM,2017,60(7):24-26.
[7]Moser A,Kruegel C,Kirda E.Limits of static analysis for malware detection[C]//Annual Computer Security Applications Conference,2007:421-430.
[8]Yuill J,Zappe M,Denning D,et al.Honeyfiles:deceptive files for intrusion detection[C]//Proceedings from the 5th Annual IEEE SMC Information Assurance Workshop,2004:116-122.
[9]Youn J,Ryu J.How to detect and block ransomware with file extension management in macos[J].Journal of the Korea Institute of Information Security&Cryptology,2017,27(2):251-258.
[10]Lee J,Lee J,Hong J.How to make efficient decoy files for ransomware detection?[C]//Proceedings of the International Conference on Research in Adaptive and Convergent Systems,2017:208-212.
[11]Kharraz A,Robertson W,Balzarotti D,et al.Cutting the gordian knot:a look under the hood of ransomware attacks[C]//LNCS 9148:Proceedings of the 12th International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment,2015:3-24.
[12]Kirda E.UNVEIL:a large-scale,automated approach to detecting ransomware(keynote)[C]//IEEE International Conference on Software Analysis,Evolution and Reengineering,2017.
[13]Luo X,Liao Q.Awareness education as the key to ransomware prevention[J].Information Systems Security,2007,16(4):195-202.
[14]王志海,童新海,沈寒辉.OpenSSL与网络信息安全:基础、结构和指令[M].北京:清华大学出版社,2007.
[15]Hunt G,Brubacher D.Detours:binary interception of Win32 functions[C]//Third USENIX Windows NT Symposium,1999.
[16]Guilfanov I.IDA fast library identification and recognition technology(FLIRT technology):in-depth[EB/OL].(2012-02-27)[2012-03-11].http://www.hex-rays.com/products/ida/tech/flirt/in-depth.shtml.