Ransomware continues to evolve and has established itself as the cyber weapon-of-choice for the financially motivated cybercriminals. The current state of ransomware threats necessitates the deployment of defense-in-depth strategies. Particularly, more response and recovery solutions are required to thwart ransomware in the late stages of the attack. To that end, we introduce pickpocket which exploits a side-channel vulnerability in ransomware: in-memory key exposure during encryption. Perpetrators do not control the host performing the encryption and thus this "white box" system affords access to the decryption keys by facilitating an in-memory attack on ransomware. Since it is these keys that are ransomed, the user's ability to extract the keys cripples the attack. Such key extraction is the only recourse in the frequent scenario where both intrusion prevention and backups have failed. The novelty of pickpocket is the extraction of cryptographic material from system memory during the process of malicious encryption. The primary insight of this work is that conventional implementations of cryptographic algorithms deployed by ransomware are highly vulnerable when a hostile entity controls the execution environment. Our work differs from existing solutions in that we provide response and recovery when all existing solutions have failed, that is, we provide the last line of defense. By providing access to the decryption keys, we remove ransomware's leverage over the victim by enabling an alternative path to file restoration and thus eliminate the requirement of paying the ransom.
Read
