The diagram below shows a code snippet of a crypto ransomware we extract from IDA Pro.
Fig. 10. Encryption routines in crypto ransomware code
It is clear from the above code that the ransomware uses RSA and AES encryption algorithms
from the Cryptographic Service Provider (CSP) of the operating system.
KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 13, NO. 6, June 2019 3273
Fig. 11. Observed ransomware encryption process.
The malware access the CryptEncrypt function from the Crypto API to encrypt the AES key
with the implanted RSA key. The diagram below in Fig. 11 shows the summarized workflow
of the observed ransomware encryption process. This particular sample adds another layer of
encryption on the host system and does not directly encrypt the symmetric key with the
payload-implanted public key. Instead, when successfully executed on the host, it uses the
operating system's secure PRNG random function via the CryptoAPI to generate a 2048-bit
sub-RSA key pair to be used by the CSP. The sub-pair's public key, in its unencrypted form, is
exported to 00000000.pky. The private key of the sub-pair is the one that actually gets
encrypted by the payload-implanted master public key using the CryptEncrypt function and
then exported and written to 00000000.eky. The malware proceeds to generate a 128-bit AES
key bundle in Cipher Block Chaining (CBC) that is subsequently used to encrypt the victim’s
target files. It is worth noting that the encryption of the victim's file is executed with a unique
key per file. The earlier public key from the sub-pair exported to 00000000.pky in raw form
encrypts these AES keys. Overall, the samples use four types of encryption keys once
successfully delivered on the host: one RSA public key implanted in the payload, two 2048-bit
keys generated on the victim's machine and one AES symmetric key per file. This sample uses
the Eternal Blue exploits, which exploits vulnerable SMBv1 to propagate to other hosts on
port 445 as a worm [31]. This implies that a user can get infected without interactive based
infection vectors which would otherwise require some user action.
We now present the results of dynamic analysis after we actively ran different cryptoviral
malware samples in a contained sandbox environment.
Key Gen.
Encrypted
3274 Zimba et al.:Recent Advances in Cryptovirology: State-of-the-Art Crypto Mining
and Crypto Ransomware Attacks
5.2.1 Memory resident crypto mining
This particular type of malware exhibited different kinds of persistence mechanism, which
included the addition of registry keys and an entry in the task scheduler. The malware connects
to the C2 upon infection and downloads the relevant files. It inherently has a 0 setThrottle
value implying that it consumes the whole lot of the CPU at 100% as shown in Fig. 12 below.
The malware constantly checks the presence of a task monitor (Task Manager) and drops CPU
usage once it detects it. A drop in CPU usage on the top-right shows this right after Task
Manager was opened. Once Task Manager was closed, it resumed CPU usage to 100%.
Fig. 12. Maximum CPU usage with task monitor detection
Before downloading the relevant files, the malware reports the infected host’s hardware CPU
architecture whether it’s x86 or 64-bit, the number of CPU cores, probes whether the WanIP
address is present, the CPU frequency and other relevant information as shown in Fig. 13
below. Likewise, the IP address of the C2 server the malware reports to is shown as well.
Fig. 13. Malware reporting to C2 after infecting a host.
KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 13, NO. 6, June 2019 3275
After obtaining the information above, the malware proceeds to download files among which
is the execution instruction, the mining pool to identify with and the crypto algorithm to use,
Cryptonight in this case. The captured network traffic statistics are shown in Fig. 14. As seen
from the network graph, a lot of network communication between the infected host and the C2
servers happens in the first 3 minutes. The communication is purely clear text HTTP. The
relevant crypto mining files are also downloaded during this time window. This particular
malware strain exploits the SMB service on port 445, just like WannaCry [32]. Interestingly,
the malware blocks access to port 445 on the infected host. This implies that no other malware
will infect the host via the previously mentioned infection vector. Clearly, this is an effort to
have the whole CPU to itself, as is the case with most crypto mining malware.
Fig. 14. Captured network communication between an infected host and C2 servers
Unlike crypto mining malware, latest ransomware variants do not need to contact the C2
server in order to accomplish their task. Communication with the C2 usually comes after
encrypting user files. This implies that the malware can work offline and can thus be
propagated by offline attack vectors such as removable memory disks. However, some
variants probe the network as a sandbox evasion technique and also search the network for
victims. The diagram in Fig. 15 shows the network activities captured from a cryptoviral
extortion malware, WannaCry.
3276 Zimba et al.:Recent Advances in Cryptovirology: State-of-the-Art Crypto Mining
and Crypto Ransomware Attacks
Fig. 15. Network activity for cryptoviral extortion malware
The ransomware drops a decryptor, which tries to communicate on the anonymous Tor
network. It further spawns two threads; one for scanning the local IP subnet for port 445
vulnerabilities based on the information retrieved from the network adapter. The ransomware
drops other.exe files entailing that it is based on the Windows operating system. This explains
why the WannaCry ransomware attacked many critical systems running outdated and legacy
Windows OS. In an effort to evade detection when running in a sandbox, the ransomware also
probes the network to reach a non-existent randomly generated domain name. If the name
lookup query for the non-existent randomly generated domain name resolves successfully,
then the malware does not run. This is a kill-switch feature only present in latest variants of the
malware and this is usually the first step the malware carries out before any encryption takes
place.
IOCs can be formulated from hashes; cryptographic hashes from the cryptoviral malware
themselves (cf. Table 1 and Table 2), hashes extracted from the malware payload into
memory or and hashes from files downloaded from the C2 servers. High CPU consumption
especially when with an Internet connection is another IOC for crypto mining malware. The
observed C2 server domains are also IOCs that ought to be blacklisted in the security policy
that is. Other IOCs include registry alterations when the malware is seeking to establish a
persistent presence. It is worth noting that malware evolves with time and so does the
associated IOCs. C2 servers could be shifted or pointed to another botnet domain and the
cryptographic hashes change with any alteration in the source code. Therefore, the use of IOCs
to mitigate cryptoviral malware, in the same manner, ought to be dynamic and evolutionary.
This study examined the state-of-the-art cryptoviral attacks and the malware thereof in the
cryptovirology landscape. We have proposed a novel and thorough taxonomy of cryptoviral
attacks from two main perspectives depicting the various ways through which attacker acquire
cryptocurrencies. Furthermore, we have defined cryptoviral attack models using attack graphs
to characterize the attack paths of nodes participating in the attack process and the associated
KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 13, NO. 6, June 2019 3277
attack scenarios. We have implemented and analyzed cryptoviral attack simulations based on
the defined attack models in sandboxed network environments to extract evasive features and
also those representative of IOCs. Static and dynamic analysis showed the various techniques
employed by cryptoviral malware to effectuate complex crypto attacks. The analyzed samples
in Table 1 depict the prevalence of Monero crypto currency in browser-based crypto mining.
Most browser-based crypto mining attacks use a variation of the Coinhive source code, which
is the pioneer of in-browser crypto mining. The analysis further showed that C2
communication is paramount to crypto mining attacks as most of the malware were basic
scripts that beaconed to the C2 servers for further directives. Latest crypto ransomware attacks,
on the other hand, do not necessarily require contact with C2 servers. Rather, communication
with the C2 is initiated after the actual attack has occurred. All cryptoviral attacks leave a trail
of digital forensics evidence when the malware interacts with the file system and generates
noise in form of network traffic upon connecting the C2 servers and crypto mining pools. IOCs
include network artifacts such as C2 server domains, the corresponding IP addresses and
cryptographic hash values of downloaded files apart from the malware hash values.
[2] F. Mercaldo, V. Nardone, and A. Santone, “Ransomware inside out,” in Proc. of Availability,
Reliability and Security (ARES), 2016 11th International Conference on. IEEE, 2016.
Article (CrossRef Link).
[3] ROD SOTO, “Cryptocoin Mining Attack Vectors Reshaping the Threatscape,” JASK,
FEBRUARY 22, 2018. Article (CrossRef Link).
[4] A Young, M Yung, “Malicious cryptography: Exposing cryptovirology,” Computer Law &
Security Review, 20.5, pp. 430, 2004. Article (CrossRef Link).
[5] Nir Kshetri and Jeffrey Voas, “Do Crypto-Currencies Fuel Ransomware?,” IT Professional, 19.5,
pp. 11-15, 2017. Article (CrossRef Link).
[6] C. R. Srinivasan, “Hobby hackers to billion-dollar industry: the evolution of ransomware,”
Computer Fraud & Security, 2017.11, pp.7-9, 2017. Article (CrossRef Link).
[7] Nick Biasini, Edmund Brumaghin, Warren Mercer and Josh Reynolds, “Ransom Where?
Malicious Cryptocurrency Miners Takeover, Generating Millions,” Talos Intelligence,
JANUARY 31, 2018. Article (CrossRef Link).
[8] Adam Young and Moti Yung, “On Ransomware and Envisioning the Enemy of Tomorrow,”
Computer, 50.11, pp. 82-85, 2017. Article (CrossRef Link).
[9] A. Young and M. Yung, “Cryptovirology: Extortion-based security threats and countermeasures,”
in Proc. of Proceedings 1996 IEEE Symposium on Security and Privacy, 1996.
Article (CrossRef Link).
[10] A. Palisse, et al., “Ransomware and the legacy crypto API,” in Proc. of International Conference
on Risks and Security of Internet and Systems. Springer, Cham, pp. 11-28, 2016.
Article (CrossRef Link).
[11] A. Zimba, L. Simukonda, and M. Chishimba, “Demystifying Ransomware Attacks: Reverse
Engineering and Dynamic Malware Analysis of WannaCry for Network and Information Security,”
3278 Zimba et al.:Recent Advances in Cryptovirology: State-of-the-Art Crypto Mining
and Crypto Ransomware Attacks
Zambia ICT Journal, 1.1, pp. 35-40, 2017. Article (CrossRef Link).
[12] A. Zimba, Z. Wang, and L. Simukonda, “Towards Data Resilience: The Analytical Case of Crypto
Ransomware Data Recovery Techniques,” International Journal of Information Technology &
Computer Science, 10.1, pp. 40-51, 2018. Article (CrossRef Link).
[13] Satoshi Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2008.
[14] “MONERO private digital currency,” Monero, 2014. Article (CrossRef Link).
[15] A. Miller et al., “An empirical analysis of linkability in the Monero blockchain,” arXiv preprint
arXiv:1704.04299, 2017. Article (CrossRef Link).
[16] C Kolias et al., “DDoS in the IoT: Mirai and other botnets,” IEEE Computer, 50.7, pp.80-84, 2017.
Article (CrossRef Link).
[17] “Illegal Bitcoin mining factory sparks massive blaze thanks to overheating computers used to
create cryptocurrency,” The Sun, 9th February 2018. Article (CrossRef Link).
[18] “Now Cryptojacking Threatens Critical Infrastructure, Too,” WIRED, February 12, 2018. Article
(CrossRef Link).
[19] “Hack Brief: Hackers Enlisted Tesla's Public Cloud to Mine Cryptocurrency,” WIRED, February
20, 2018. Article (CrossRef Link).
[20] “Cisco: Crypto-Mining Botnets Could Make $100m Annually,” InfoSecurity, Feb. 1, 2018. Article
(CrossRef Link).
[21] “Crypto-Mining Attacks Jump 50% to Net Hackers Millions in 2017,” InfoSecurity, 2017.
[22] “Top Cyberthreat Of 2018: Illicit Cryptomining,” Forbes. | TECH | Cybersecurity, March 4, 2018.
Article (CrossRef Link).
[23] “ISTR 23: Insights into the Cyber Security Threat Landscape,” Symantec, March 21, 2018.
Article (CrossRef Link).
[24] “UK cryptojacking attacks surge 1,200% as Bitcoin value rise sees illegal miners taking over PCS,”
Independent, February 28, 2018. Article (CrossRef Link).
[25] “New Research: Crypto-mining Drives Almost 90% of All Remote Code Execution Attacks,”
Imperva, February 20, 2018. Available: Article (CrossRef Link).
[26] D. Y. Huang, H. Dharmdasani, S. Meiklejohn, V. Dave, C. Grier, D. McCoy, S. Savage, N.
Weaver, A. C. Snoeren, and K. Levchenko, “Botcoin: Monetizing stolen cycles,” NDSS, February
2014. Article (CrossRef Link).
[27] Fortune, “Popular google chrome extension caught mining cryptocurrency on thousands of
computers,” January 2, 2018.
[28] “Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners,” The Register, November
22, 2017. Article (CrossRef Link).
[29] “Ads don’t work so websites are using your electricity to pay the bills,” The Guardian, September
27, 2017.
[30] Aaron Zimba, Zhaoshun Wang, and Hongsong Chen, “Reasoning crypto ransomware infection
vectors with Bayesian networks,” in Proc. of Intelligence and Security Informatics (ISI), 2017
IEEE International Conference on. IEEE, 2017. Article (CrossRef Link).
[31] D.Y. Kao and S.C. Hsiao, “The dynamic analysis of WannaCry ransomware,” in Proc. of
Advanced Communication Technology (ICACT), 2018 20th International Conference on. IEEE,
2018. Article (CrossRef Link).
[32] C. Pascariu, I.D. Barbu and I.C. Bacivarov, “Investigative Analysis and Technical Overview of
Ransomware Based Attacks. Case Study: WannaCry,” Int'l J. Info. Sec. & Cybercrime, 6.1, pp.
57-35, 2017. Article (CrossRef Link).
KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 13, NO. 6, June 2019 3279
Aaron Zimba is a lecturer of Computer Science and Information Technology at
Mulungushi University and he is currently pursuing PhD studies at the University of Science
and Technology Beijing in the Department of Computer Science and Technology. He
received his Master and Bachelor of Science degrees from the St. Petersburg Electrotechnical
University in St. Petersburg in 2009 and 2007 respectively. He is also a member of the IEEE.
His main research interests include Network and Information Security, Network Security
Models, Cloud Computing Security and Malware Analysis.
Zhaoshun Wang is a Professor and the Associate Head of the Department of Computer
Science and Technology at the University of Science and Technology Beijing. He graduated
from the Department of Mathematics at Beijing Normal University in 1993. He received his
PhD from Beijing University of Science and Technology in 2002. He completed postdoctoral
research work at the Graduate School of the Chinese Academy of Sciences in 2006. He holds
patents and has many awards to his name. His main research areas include Information
Security, Computer Architecture and Software Engineering.
Hongsong Chen received his PhD degree in Department of Computer Science from Harbin
Institute of Technology, China, in 2006. He was a visiting scholar at Purdue University from
2013-2014. He is currently an associate professor in the Department of Computer Science and
Technology, University of Science and Technology Beijing, China. His current research
interests include wireless network security, attack and detection models, and cloud computing
security.
Mwenge Mulenga is a lecturer of Computer Science in the School of Science, Engineering
and Technology at Mulungushi University. Currently, he is pursuing his PhD studies in
computer science at the University of Malaya, Malaysia. He holds a Master’s degree from the
St Petersburg State Electrotechnical University, Russia. He has vast experience in major
software projects implementing both proprietary and open-source technologies. His main
research interests include software engineering and machine learning