Cryptology ePrint Archive: Report 2017/558

Detecting Large Integer Arithmetic for Defense Against Crypto Ransomware

Mehmet Sabir Kiraz and Ziya Alper Genç and Erdinç Öztürk

Abstract: The evolution of crypto ransomware has increasingly influenced real-life systems and lead to fatal threats to data security of individuals and enterprises. A crypto ransomware basically encrypts files of victims using either standard or their own customized crypto functions and request ransom from users to retrieve them again. In this paper, we propose a new detection and analyzing approach, called ExpMonitor, which basically targets ransomware's public key cryptographic algorithms carried out on victim's computer. ExpMonitor is based on observing public key encryption running on the CPU. Monitoring integer multiplication instructions can detect large integer arithmetic operations, which constitute the backbone of public key encryption. While existing detection mechanisms can only targets particular cryptographic functions our technique complements the state-of-the-art.

Category / Keywords: Crypto Ransomware, Malware Analysis, Public Key Encryption, Modular Exponentiation

Date: received 7 Jun 2017, last revised 7 Jun 2017

Contact author: mehmet kiraz at tubitak gov tr

Available format(s): PDF | BibTeX Citation

Note: Typos corrected.

Version: 20170608:200345 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]