Magniber v2 Ransomware Decryption: Exploiting the Vulnerability of a Self-Developed Pseudo Random Number Generator
With the rapid increase in computer storage capabilities, user data has become increasingly important. Although user data can be maintained by various protection techniques, its safety has been threatened by the advent of ransomware, defined as malware that encrypts user data, such as documents, pho...
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2020-12-01
|
| Series: | Electronics |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2079-9292/10/1/16 |
| _version_ | 1797543630306541568 |
|---|---|
| author | Sehoon Lee Myungseo Park Jongsung Kim |
| author_facet | Sehoon Lee Myungseo Park Jongsung Kim |
| author_sort | Sehoon Lee |
| collection | DOAJ |
| description | With the rapid increase in computer storage capabilities, user data has become increasingly important. Although user data can be maintained by various protection techniques, its safety has been threatened by the advent of ransomware, defined as malware that encrypts user data, such as documents, photographs and videos, and demands money to victims in exchange for data recovery. Ransomware-infected files can be recovered only by obtaining the encryption key used to encrypt the files. However, the encryption key is derived using a Pseudo Random Number Generator (PRNG) and is recoverable only by the attacker. For this reason, the encryption keys of malware are known to be difficult to obtain. In this paper, we analyzed Magniber v2, which has exerted a large impact in the Asian region. We revealed the operation process of Magniber v2 including PRNG and file encryption algorithms. In our analysis, we found a vulnerability in the PRNG of Magniber v2 developed by the attacker. We exploited this vulnerability to successfully recover the encryption keys, which was by verified the result in padding verification and statistical randomness tests. To our knowledge, we report the first recovery result of Magniber v2-infected files. |
| first_indexed | 2024-03-10T13:48:21Z |
| format | Article |
| id | doaj.art-57c345e1617f4605a0699b82307a3065 |
| institution | Directory Open Access Journal |
| issn | 2079-9292 |
| language | English |
| last_indexed | 2024-03-10T13:48:21Z |
| publishDate | 2020-12-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Electronics |
| spelling | doaj.art-57c345e1617f4605a0699b82307a30652023-11-21T02:24:11ZengMDPI AGElectronics2079-92922020-12-011011610.3390/electronics10010016Magniber v2 Ransomware Decryption: Exploiting the Vulnerability of a Self-Developed Pseudo Random Number GeneratorSehoon Lee0Myungseo Park1Jongsung Kim2Department of Financial Information Security, Kookmin University, Seoul 02707, KoreaDepartment of Financial Information Security, Kookmin University, Seoul 02707, KoreaDepartment of Financial Information Security, Kookmin University, Seoul 02707, KoreaWith the rapid increase in computer storage capabilities, user data has become increasingly important. Although user data can be maintained by various protection techniques, its safety has been threatened by the advent of ransomware, defined as malware that encrypts user data, such as documents, photographs and videos, and demands money to victims in exchange for data recovery. Ransomware-infected files can be recovered only by obtaining the encryption key used to encrypt the files. However, the encryption key is derived using a Pseudo Random Number Generator (PRNG) and is recoverable only by the attacker. For this reason, the encryption keys of malware are known to be difficult to obtain. In this paper, we analyzed Magniber v2, which has exerted a large impact in the Asian region. We revealed the operation process of Magniber v2 including PRNG and file encryption algorithms. In our analysis, we found a vulnerability in the PRNG of Magniber v2 developed by the attacker. We exploited this vulnerability to successfully recover the encryption keys, which was by verified the result in padding verification and statistical randomness tests. To our knowledge, we report the first recovery result of Magniber v2-infected files.https://www.mdpi.com/2079-9292/10/1/16ransomwaremagniberdecryptioncryptography |
| spellingShingle | Sehoon Lee Myungseo Park Jongsung Kim Magniber v2 Ransomware Decryption: Exploiting the Vulnerability of a Self-Developed Pseudo Random Number Generator Electronics ransomware magniber decryption cryptography |
| title | Magniber v2 Ransomware Decryption: Exploiting the Vulnerability of a Self-Developed Pseudo Random Number Generator |
| title_full | Magniber v2 Ransomware Decryption: Exploiting the Vulnerability of a Self-Developed Pseudo Random Number Generator |
| title_fullStr | Magniber v2 Ransomware Decryption: Exploiting the Vulnerability of a Self-Developed Pseudo Random Number Generator |
| title_full_unstemmed | Magniber v2 Ransomware Decryption: Exploiting the Vulnerability of a Self-Developed Pseudo Random Number Generator |
| title_short | Magniber v2 Ransomware Decryption: Exploiting the Vulnerability of a Self-Developed Pseudo Random Number Generator |
| title_sort | magniber v2 ransomware decryption exploiting the vulnerability of a self developed pseudo random number generator |
| topic | ransomware magniber decryption cryptography |
| url | https://www.mdpi.com/2079-9292/10/1/16 |
| work_keys_str_mv | AT sehoonlee magniberv2ransomwaredecryptionexploitingthevulnerabilityofaselfdevelopedpseudorandomnumbergenerator AT myungseopark magniberv2ransomwaredecryptionexploitingthevulnerabilityofaselfdevelopedpseudorandomnumbergenerator AT jongsungkim magniberv2ransomwaredecryptionexploitingthevulnerabilityofaselfdevelopedpseudorandomnumbergenerator |