This article describes the process of capturing encryption keys from ransomware using Elastic Defend ransomware protection.

TL;DR

Introduction

Current state of protection

How ransomware (usually) works, and why it matters

Understanding the Canary files feature in Elastic Endpoint 

Extending our canary protection to generate process snapshots

The basic underlying concept

Implementation

In kernel land

In user land

Real-life examples

Recovering keys from process runtime: the case of NOTPETYA

Predicting encryption keys from the process runtime: the case of WANNACRY

Deep dive into Windows (Pseudo-)random Number generation

Pseudo-Random number prediction through user-mode emulation of the memory dump

Incorporating this research into the Elastic Endpoint

Closing remarks

Ransomware in the honeypot: how we capture keys with sticky canary files

This is the first in a series focused on the Time Travel Debugging (TTD) technology developed by Microsoft that was explored in detail during a recent independent research period.

Command line parameters

TTD process injection

Chasing after the PPL debugging token

Understanding Code Integrity policies

Offensive TTD

Tracing != Debugging

The curious case of ProcLaunchMon

CreateDump.exe

Defensive TTD

Blocking TTD

Detecting TTD

Acknowledgement

Deep dive into the TTD ecosystem

Author

Christophe Alladoum

Articles

Ransomware in the honeypot: how we capture keys with sticky canary files

Deep dive into the TTD ecosystem