Ransomware is a type of malware that holds some resource of a victim ransom. The most common form of ransomware encrypts files on the victim system and then ask the user to pay money in order to restore the files to their original state (cryptoviral extortion). Ransomware are classified as trojans in the family of malware. A novel method to detect and prevent the functionality of ransomware is examined in the paper “Connection-Monitor and Connection-Breaker” [1] by Mohammad Mehdi Ahmadian. First let’s take a look at how certain encrypting systems work.

Private key encryption/Symmetric key encryption/Single key Encryption   : Private key encryption is a method of encryption in which the participating parties are privy to the secret key. This is why it is called symmetric key encryption since both the encrypting party and the decrypting party have the same key. If the key is hard coded(since the encryption process requires it), it can be easily extracted by reverse engineers.This is  a major design flaw and hence is not used by malware writers.

Public Key Encryption/Asymmetric Key Encryption/Multiple Key Encryption : Public Key encryption is a method in which the key is actually  a pair of two keys. One is called the public key and is distributed and the other key (which forms a mathematical pair) is held only by the decrypting party and is used to decrypt the cipher. Hence the malware coder needs to hard code only the encryption key and can hold the private key as ransome. The only problem with this is that asymmetric encryption is more expensive, since one key value pair will not suffice if multiple victims are to be held at ransom successfully.

Hybrid Encryption: The randomly generated symmetric key is used to encrypt the data and is then encrypted using a public key. Hence once the ransom is paid, the encrypted symmetric key is sent to the malware writer who then uses the asymmetric private key to decrypt the randomly generated symmetric key and return it to the victim. Hence this is how most ransomware work.

Hence when the encryption process is about to begin, the malware contacts the Command & Control servers to receive its public key and this is where the authors of [1] come in. The command and control servers that the malware contacts cannot be hard coded directly since it would then be a simple matter of blacklisting/ taking down these hard coded servers. This is where malware coders come in with Domain Generation Algorithms (DGA). DGAs are basically algorithms that randomly generate domain names one/ some of which might contain the active command and control servers. Since the domain names are usually a random string of characters and no original benign domain uses such random domain names. The mechanism developed by the authors is to monitor DNS requests and study the domain that is requested. It then becomes a problem of finding out whether the domain name is a valid human readable string or gibberish which is a huge indicator that the domain is one with which communication should not happen in any case. How the authors deal with the above problem is to use Markov chains to calculate the probability of the character string being human readable. To normalize the above value the authors use the length of the string. Now ransomware that depend on a connection to the command and control servers fail and hence the function of the encrypting ransomware has been thwarted.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s