cryptostalker icon indicating copy to clipboard operation
cryptostalker copied to clipboard

Published 20 hours ago verified publisher icon unixist

Detect secret key material in use by the encrypting process

Open unixist opened this issue 9 years ago • 3 comments

After stopping the process (or on Windows, before killing it), iterate over the process' memory maps and open files to detect known signatures of key material, e.g. "-----BEGIN RSA PRIVATE KEY-----".

Another potential search criteria is entropy. Look for randomness within the memory regions and open files, then save off interesting memory pages for later analysis.

unixist avatar Jul 07 '16 20:07 unixist

Another potential search criteria is entropy. Look for randomness within the memory regions and open files, then save off interesting memory pages for later analysis.

While it may be a better option, it may be processor intensive; however, we would only this after we detect and disrupt the ransomware.

cy-fir avatar Jul 15 '16 15:07 cy-fir

After stopping the process (or on Windows, before killing it), iterate over the process' memory maps and open files to detect known signatures of key material, e.g. "-----BEGIN RSA PRIVATE KEY-----".

Agreed. Will need a few various-types of samples to test as some may behave differently... I'll start with jigsaw to be consistent with the test cases

cy-fir avatar Jul 15 '16 15:07 cy-fir

Good idea. And some malware will use symmetric keys which will be much harder to detect, being smaller and non-ascii

unixist avatar Jul 15 '16 16:07 unixist