Does anyone know Ransomware that uses its own cryptographic API?

Discussion in 'Malware Analysis' started by chicchi, Jul 24, 2017.

  1. chicchi

    chicchi Level 1

    Jul 23, 2017
    9
    27
    japan
    Windows 10
    ESET
    I am a college student who is studying about Ransomware.
    Does anyone know Ransomware that uses its own cryptographic API?
     
    Opcode likes this.
  2. Vasudev

    Vasudev Level 22

    Nov 8, 2014
    1,109
    2,185
    Student
    India
    Windows 10
    Microsoft
  3. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    894
    6,332
    Caille
    Windows 10
    I cannot think of one off the top of my head but there is bound to be one out there; there are open-source cryptography projects online so I would imagine others would have done similar work for bad purposes.

    I doubt it would be too much of a benefit for someone do make their own library for it though, because in terms of behaviour detection from security products, it is usually done by monitoring I/O activity and writing your own cryptography library should not evade detection that way.
     
    tim one, Vasudev and mlnevese like this.
  4. tim one

    tim one Level 19
    Trusted AV Tester

    Jul 31, 2014
    904
    9,098
    Europe
    Windows 10
    Emsisoft
    Ransomware using their own cryptographic API will exist for sure, but often the tendency is to use the Windows Crypto API already included in the operating system that ensures reliable encryption process, without errors.

    In many new ransomware, the RSA public key is embedded in the code while the basis key is often generated when a function generates random bytes by calculating the corresponding MD5 HASH, which is converted into the necessary key to start the encryption.

    In this way, no key is transferred between the victim and the server which already has the RSA private key, while the basis key is provided by the victim when the decryption is required (paying the ransom).

    More frequently it happens that many new ransomware have elements which make them dangerous in the short-to-medium term, in particular, they have the tendency to be less identifiable as possible: no direct interaction with the server for the keys exchanging, the dynamic change of the extensions of the encrypted files and as I said, the use of functions already present in the operating system.
     
    Vasudev likes this.
Loading...
Similar Threads Forum Date
Does anyone here follow the NSA's advice? General Security Discussions Jul 7, 2017
Q&A Does anyone know which antivirus programs use machine learning? General Security Discussions Jun 1, 2017
Does anyone use Spybot Anti-Spyware anymore? Other Security for Windows Dec 18, 2015