Technical Stream
Technical Stream
Ransomware protection: from backups to key searching

Abstract

Protection against ransomware Trojans, or rather one of their most dangerous subspecies – encryptors – is extremely important. Thousands of users of different operating systems throughout the world have faced a situation where their files were encrypted overnight and the attackers asked for money to decrypt them. At the same time, the standard approach to data protection often doesn’t work and valuable documents or photos get encrypted. For this task we ask you to develop protection against one of the most dangerous types of Trojans faced by Internet users over the last 10 years. There are several ways to solve this problem, but it’s up to you to decide which can be the most effective.

Statement of the problem

Once an encryptor is on a computer/server/smartphone, it begins searching valuable files of different formats and encrypts them with the strong encryption algorithm (both symmetric and asymmetric encryption algorithms are used – see more details in the supplementary materials). Usually, the private key is generated at the moment encryption starts, then is sent to the attackers’ command server, and once the files have been ecrypted the Trojan deletes itself. It is necessary to develop a method that will help protect user data on a computer that has already been affected by a Trojan like this. The method can be based on existing technologies, such as backups, policies, methods for rapid encryptor detection, methods that search for keys in the memory, on the disk, or in files; of course, you can also suggest something completely new.

Requirements/technical guidelines for submissions

The work should result in a program/set of programs that demonstrates the method works (PoC — proof-of-concept) and a detailed description of the approach used.

The program should provide protection from test encryptors launched in the Windows 7-10 environment

Supplementary materials

Ransomware. How it works:

https://securelist.com/blog/research/74398/locky-the-encryptor-taking-the-world-by-storm/

https://securelist.com/blog/research/74609/petya-the-two-in-one-trojan/

https://securelist.com/analysis/publications/72087/the-shade-encryptor-a-double-threat/

Common protection measures:

https://www.wired.com/2016/05/4-ways-protect-ransomware-youre-target/

http://www.darkreading.com/endpoint/heres-how-to-protect-against-a-ransomware-attack/d/d-id/1324169

https://noransom.kaspersky.com/

Where to obtain samples to test your system:

https://malwr.com/ (search by tag crypter)

http://www.kernelmode.info/forum/viewforum.php?f=16

Evaluation criteria

To evaluate the effectiveness of the proposed program, a test suite of actual Trojan encryptors will be compiled. The program will be installed in the test environment where the encryptors will be launched one at a time to check whether it can provide protection against these malicious programs.