Evaluation of live forensic techniques, towards Salsa20-Based cryptographic ransomware mitigation

Abstract

Ransomware has been established as one of the largest current threats to organisations, small businesses, governments, and individuals alike. The appearance of cryptocurrencies and the enhancement of encryption key management schemes increased the capacity of this malicious software to compromise the victim's data and demand ransom payments. The variety of ransomware families and their continued evolution make the task of detecting and mitigating these attacks extremely difficult. Current ransomware typically uses complex multi-layer hybrid encryption methods, which cannot be mitigated using conventional methods such as attacking the encryption keys directly. Recent studies have shown that when using live forensic techniques, it is possible to find the ransomware data encryption keys in the volatile memory of an infected machine while the ransomware is being executed, in a form of a side-channel attack. However, the related work in the field does not address the most recent cryptography typically now used by ransomware, including stream ciphers such as Salsa20. Related work has also not fully explored the typical use of unique keys per victim's file which is now common with current ransomware. The work described in this paper reproduces these latest cryptographic management techniques being used and explores methods for both, Salsa20 key extraction from memory, and one key per file ransomware encryption key recovery. The methods have been evaluated against recent real-world ransomware samples with various victim file data sets. The method has been shown in some cases to successfully recover over 90% of Salsa20 key and nonce pairs from volatile memory, which in turn have been used to decrypt victim files to validate the extracted pairs. This method could facilitate the recovery of victims' files without the need for paying a ransom and bypasses the complex hybrid encryption methods typically used by current ransomware. The findings from the experiments show that it is possible to use live memory forensics to extract multiple ransomware symmetric encryption keys during execution, and then use these to successfully decrypt a large percentage of the victim's encrypted files without requiring the master key. The developed method could be used to help recover from the most advanced current ransomware attack and can prove useful when developing new cryptographic ransomware mitigation techniques.