We are familiar with the problem of ransomware – malicious software that seeks to encrypt user data and demand a ransom in return for the decryption key.
There are several defensive measures that help work against crypto-malware. Backups work, in theory, but are not always available or are partial. We need to realize that ransomware does, and will, continue to find victims.
These victims are not eCrime or DefCon or BSides conference attendees. Mostly, these are average computer users. In the past, ransomware developers and operators have gone for the low-hanging fruit – victims who fall for common phishing scams, expose RDP services with poor passwords, neglect security updates, etc. Targeted ransomware is now seeking bigger victims as seen in the case of the City of Atlanta.
In our paper, we assume that crypto-malware has the infiltrated host. What can be done from this point forward as a corrective measure for victims? Can we get files back without paying the ransom? Here, we realized that not every ransomware is the same. Some can be broken due to their poor cryptosystems. But which ones? We need a classification system.