D

Deleted member 65228

Guest
#3
Does anyone know Ransomware that uses its own cryptographic API?
I cannot think of one off the top of my head but there is bound to be one out there; there are open-source cryptography projects online so I would imagine others would have done similar work for bad purposes.

I doubt it would be too much of a benefit for someone do make their own library for it though, because in terms of behaviour detection from security products, it is usually done by monitoring I/O activity and writing your own cryptography library should not evade detection that way.
 

tim one

Level 21
AV-Tester
Verified
Joined
Jul 31, 2014
Messages
1,073
OS
Windows 10
Antivirus
F-Secure
#4
Ransomware using their own cryptographic API will exist for sure, but often the tendency is to use the Windows Crypto API already included in the operating system that ensures reliable encryption process, without errors.

In many new ransomware, the RSA public key is embedded in the code while the basis key is often generated when a function generates random bytes by calculating the corresponding MD5 HASH, which is converted into the necessary key to start the encryption.

In this way, no key is transferred between the victim and the server which already has the RSA private key, while the basis key is provided by the victim when the decryption is required (paying the ransom).

More frequently it happens that many new ransomware have elements which make them dangerous in the short-to-medium term, in particular, they have the tendency to be less identifiable as possible: no direct interaction with the server for the keys exchanging, the dynamic change of the extensions of the encrypted files and as I said, the use of functions already present in the operating system.
 
Likes: Vasudev