Descriptografando: Experimento em Análise de Memória Volátil Aplicada à Defesa Contra Ransomware
Resumo
Ransomware é um tipo de software malicioso que restringe acesso a um sistema ou seus dados, exigindo o pagamento do resgate. A análise de memória volátil permite observar o estado de um sistema em determinados momentos de execução, o que a torna uma abordagem interessante para a análise de malware. Este trabalho tem como objetivo explorar técnicas e ferramentas de análise de memória volátil aplicadas a defesa contra ataques de ransomware criptográfico, através de um experimento prático. Com a análise de memória, é possível identificar material criptográfico na memória, o que possibilita, em certas circunstâncias, a recuperação de arquivos criptografados. O experimento demonstrou a aplicação de técnicas de identificação de chaves criptográficas com base na análise estática e estrutura da memória virtual.Referências
Abrams, L. (2021). DearCry ransomware attacks Microsoft Exchange with ProxyLogon exploits. BleepingComputer.
Bajpai, P. and Enbody, R. (2020). Memory Forensics Against Ransomware. 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pages 1–8.
Bajpai, P., Sood, A. K., and Enbody, R. (2018). A key-management-based taxonomy for ransomware. In 2018 APWG Symposium on Electronic Crime Research (eCrime), pages 1–12. ISSN: 2159-1245.
Cohen, A. and Nissim, N. (2018). Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Systems with Applications: An International Journal, 102(C):158–178.
Davies, S. R., Macfarlane, R., and Buchanan, W. J. (2020). Evaluation of live forensic techniques in ransomware attack mitigation. Forensic Science International: Digital Investigation, 33:300979.
Dworkin, M. J., Barker, E., Nechvatal, J. R., Foti, J., Bassham, L. E., Roback, E., and Jr, J. F. D. (2001). Advanced Encryption Standard (AES). National Institute of Standards and Technology (NIST).
Eagle, C. (2008). The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, USA.
Halderman, J. A., Schoen, S. D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J. A., Feldman, A. J., Appelbaum, J., and Felten, E. W. (2009). Lest we remember: cold-boot attacks on encryption keys. Communications of the ACM, 52(5):91–98.
Kaplan, B. (2007). RAM is Key Extracting Disk Encryption Keys From Volatile Memory.
Keshavarzi, M. and Ghaffari, H. (2020). I2CE3: A dedicated and separated attack chain for ransomware offenses as the most infamous cyber extortion. Computer Science Review, 36:100233.
Ligh, M. H., Case, A., Levy, J., and Walters, A. (2014). The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory. Wiley, Indianapolis, IN. OCLC: ocn885319205.
Loman, M. (2021). DearCry ransomware attacks exploit Exchange server vulnerabilities. Sophos News.
Maartmann-Moe, C., Thorkildsen, S. E., and André Årnes (2009). The persistence of memory: Forensic identification and extraction of cryptographic keys. Digital Investigation, 6:S132–S140.
Or-Meir, O., Nissim, N., Elovici, Y., and Rokach, L. (2019). Dynamic Malware Analysis in the Modern Era—A State of the Art Survey. ACM Computing Surveys, 52(5):88:1–88:48.
Oracle (2024). Oracle VM VirtualBox User Manual. Versão 7.0.14.
Oz, H., Aris, A., Levi, A., and Uluagac, A. S. (2022). A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Computing Surveys, 54(11s):238:1–238:37.
Rivest, R. L., Shamir, A., and Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2):120–126.
Savage, K., Coogan, P., and Lau, H. (2015). The evolution of ransomware.
Shamir, A. and van Someren, N. (1999). Playing ‘Hide and Seek’ with Stored Keys. In Franklin, M., editor, Financial Cryptography, Lecture Notes in Computer Science, pages 118–124, Berlin, Heidelberg. Springer.
Sikorski, M. and Honig, A. (2012). Practical malware analysis: the hands-on guide to dissecting malicious software. No Starch Press, San Francisco.
Smith, J. and Nair, R. (2005). The architecture of virtual machines. Computer, 38(5):32–38. Conference Name: Computer.
Sophos (2023). The State of Ransomware. Technical report, Sophos.
Vömel, S. (2013). Forensic acquisition and analysis of volatile data in memory. PhD thesis, University of Erlangen-Nuremberg.
Walters, A. and Petroni, N. L. (2007). Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process.
Yosifovich, P., Ionescu, A., Russinovich, M. E., and Solomon, D. A. (2017). Windows Internals, Part 1: System architecture, processes, threads, memory management, and more. Microsoft Press, 7 edition.
Young, A. and Moti Yung (1996). Cryptovirology: extortion-based security threats and countermeasures. Proceedings 1996 IEEE Symposium on Security and Privacy, pages 129–140.
Bajpai, P. and Enbody, R. (2020). Memory Forensics Against Ransomware. 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pages 1–8.
Bajpai, P., Sood, A. K., and Enbody, R. (2018). A key-management-based taxonomy for ransomware. In 2018 APWG Symposium on Electronic Crime Research (eCrime), pages 1–12. ISSN: 2159-1245.
Cohen, A. and Nissim, N. (2018). Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Systems with Applications: An International Journal, 102(C):158–178.
Davies, S. R., Macfarlane, R., and Buchanan, W. J. (2020). Evaluation of live forensic techniques in ransomware attack mitigation. Forensic Science International: Digital Investigation, 33:300979.
Dworkin, M. J., Barker, E., Nechvatal, J. R., Foti, J., Bassham, L. E., Roback, E., and Jr, J. F. D. (2001). Advanced Encryption Standard (AES). National Institute of Standards and Technology (NIST).
Eagle, C. (2008). The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, USA.
Halderman, J. A., Schoen, S. D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J. A., Feldman, A. J., Appelbaum, J., and Felten, E. W. (2009). Lest we remember: cold-boot attacks on encryption keys. Communications of the ACM, 52(5):91–98.
Kaplan, B. (2007). RAM is Key Extracting Disk Encryption Keys From Volatile Memory.
Keshavarzi, M. and Ghaffari, H. (2020). I2CE3: A dedicated and separated attack chain for ransomware offenses as the most infamous cyber extortion. Computer Science Review, 36:100233.
Ligh, M. H., Case, A., Levy, J., and Walters, A. (2014). The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory. Wiley, Indianapolis, IN. OCLC: ocn885319205.
Loman, M. (2021). DearCry ransomware attacks exploit Exchange server vulnerabilities. Sophos News.
Maartmann-Moe, C., Thorkildsen, S. E., and André Årnes (2009). The persistence of memory: Forensic identification and extraction of cryptographic keys. Digital Investigation, 6:S132–S140.
Or-Meir, O., Nissim, N., Elovici, Y., and Rokach, L. (2019). Dynamic Malware Analysis in the Modern Era—A State of the Art Survey. ACM Computing Surveys, 52(5):88:1–88:48.
Oracle (2024). Oracle VM VirtualBox User Manual. Versão 7.0.14.
Oz, H., Aris, A., Levi, A., and Uluagac, A. S. (2022). A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Computing Surveys, 54(11s):238:1–238:37.
Rivest, R. L., Shamir, A., and Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2):120–126.
Savage, K., Coogan, P., and Lau, H. (2015). The evolution of ransomware.
Shamir, A. and van Someren, N. (1999). Playing ‘Hide and Seek’ with Stored Keys. In Franklin, M., editor, Financial Cryptography, Lecture Notes in Computer Science, pages 118–124, Berlin, Heidelberg. Springer.
Sikorski, M. and Honig, A. (2012). Practical malware analysis: the hands-on guide to dissecting malicious software. No Starch Press, San Francisco.
Smith, J. and Nair, R. (2005). The architecture of virtual machines. Computer, 38(5):32–38. Conference Name: Computer.
Sophos (2023). The State of Ransomware. Technical report, Sophos.
Vömel, S. (2013). Forensic acquisition and analysis of volatile data in memory. PhD thesis, University of Erlangen-Nuremberg.
Walters, A. and Petroni, N. L. (2007). Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process.
Yosifovich, P., Ionescu, A., Russinovich, M. E., and Solomon, D. A. (2017). Windows Internals, Part 1: System architecture, processes, threads, memory management, and more. Microsoft Press, 7 edition.
Young, A. and Moti Yung (1996). Cryptovirology: extortion-based security threats and countermeasures. Proceedings 1996 IEEE Symposium on Security and Privacy, pages 129–140.
Publicado
16/09/2024
Como Citar
MAZUR, Ana Heloísa B.; OLIVEIRA, Paulo Roberto de; MARTIMIANO, Luciana Andréia Fondazzi.
Descriptografando: Experimento em Análise de Memória Volátil Aplicada à Defesa Contra Ransomware. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 181-196.
DOI: https://doi.org/10.5753/sbseg.2024.241511.
