Paper 2017/558

Detecting Large Integer Arithmetic for Defense Against Crypto Ransomware

Mehmet Sabir Kiraz, Ziya Alper Genç, and Erdinç Öztürk

Abstract

The evolution of crypto ransomware has increasingly influenced real-life systems and lead to fatal threats to data security of individuals and enterprises. A crypto ransomware basically encrypts files of victims using either standard or their own customized crypto functions and request ransom from users to retrieve them again. In this paper, we propose a new detection and analyzing approach, called ExpMonitor, which basically targets ransomware's public key cryptographic algorithms carried out on victim's computer. ExpMonitor is based on observing public key encryption running on the CPU. Monitoring integer multiplication instructions can detect large integer arithmetic operations, which constitute the backbone of public key encryption. While existing detection mechanisms can only targets particular cryptographic functions our technique complements the state-of-the-art.

Note: Typos corrected.

Metadata
Available format(s)
-- withdrawn --
Publication info
Preprint. MINOR revision.
Keywords
Crypto RansomwareMalware AnalysisPublic Key EncryptionModular Exponentiation
Contact author(s)
mehmet kiraz @ tubitak gov tr
History
2017-11-06: withdrawn
2017-06-08: received
See all versions
Short URL
https://ia.cr/2017/558
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.