计算机工程与应用 ›› 2019, Vol. 55 ›› Issue (10): 96-102.DOI: 10.3778/j.issn.1002-8331.1803-0277

• 网络、通信与安全 • 上一篇    下一篇

混合加密型勒索软件密文还原方法研究

于  慧1,2,彭国军1,2,蔡凯峰1,2   

  1. 1.武汉大学 空天信息安全与可信计算教育部重点实验室,武汉 430072
    2.武汉大学 国家网络安全学院,武汉 430072
  • 出版日期:2019-05-15 发布日期:2019-05-13

Research on File Recovery Method Against Ransomware Using Hybrid Pattern Cryptographic System

YU Hui1,2, PENG Guojun1,2, CAI Kaifeng1,2   

  1. 1.Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan University, Wuhan 430072, China
    2.School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
  • Online:2019-05-15 Published:2019-05-13

摘要: 以混合加密型勒索软件为研究对象,将设置诱饵文件和文件操作监控方法相结合,获取勒索软件文件加密过程中采用的加密密钥、加密算法、密文起始字段和密文长度等相关信息,并提出了被加密文件的还原方法。针对8个流行的勒索软件家族进行密文还原测试,测试结果表明了提出的还原方法的有效性。该密文还原方法适用于混合加密勒索软件密文还原,是现行勒索软件防御策略的有效补充。

关键词: 勒索软件, 混合加密, 诱饵文件, 文件操作监控, 密文还原

Abstract: In this paper, ransomware using hybrid pattern cryptographic system is taken as the research object. By combining decoy files and file operation monitoring, encryption key, encryption algorithm, the first few bytes of cipher text, the size of cipher text and other details while ransomware encrypting files can be obtained, and this paper proposes a new  file recovery approach. This paper evaluates the file recovery approach against 8 active ransomware families, and the results show that the file recovery approach proposed in this paper is effective. The file recovery approach is suitable for file recovery, which is an effective complement to fill the gap in current strategy of ransomware defense.

Key words: ransomware, hybrid pattern cryptographic system, decoy files, file operation monitoring, cipher text recovery