How to disable annoying Windows 10 notification sounds!

Written by Pranshu Bajpai | Twitter | LinkedIn

There are some Windows 10 notification (system) sounds that are quite annoying to say the least. I am not sure who decided that it was a good idea to choose these sounds for alert notifications in Windows 10. One in particular was quite annoying to me and I wanted to get rid of it. Here's how you can get rid of a specific Windows 10 notification sounds.

Locate the source

You have to first figure what sound(s) do you dislike the most and where they are originating from. For this, you can access 'change system sounds' in the Windows search bar. That brings up the 'sounds control panel'.

Over here, play the different sounds ('Test') and locate the source of the sound that you want to turn off. In my case, it was the Asterisk sound that originated from 'Windows Background.wav'. I tried to select 'None' for asterisk and apply the setting but the sounds would still play for other events. I wanted to completely get rid of that sound 'Windows Background.wav'. Therefore, I decided to just delete the source of the sounds -- the WAV file itself.

Delete the source

The WAV file is located in C:/Windows/media/. However, Windows would not let me simply delete the file since it is owned by 'TrustedInstaller'.

Alright, seems like I need to first take ownership of the file before I delete it. Right click on the WAV file and click 'Properties'. From here, access the 'Security' tab and then 'Advanced'. This will bring up a Window that tells us that the owner of the file currently is "TrustedInstaller". We need to modify this so click 'Change'. Type your username in the 'object name' area and hit 'Check Names'. It should populate the correct username. If it doesn't, go to advanced and hit 'Find Now' and select the correct name.

It should display a message saying something along the lines of "you have taken ownership of the file". You should now be able to delete the file.

Good riddance "Windows Background.wav". You will not be missed.

KringleCon | Python Escape from LA | CTF Challenge Solution

Written by Pranshu Bajpai | Twitter | LinkedIn

Python Escape from LA

This challenge is about breaking out of a restricted shell to execute a program that resides in the directory. In this case, we are provided a Python shell but we cannot import any modules that would let us perform advanced tasks such as executing a binary. The administrators have tried to ensure this by implementing what looks like a blacklist of words such as 'import' and 'exec'.

Playing around with the possibilities, we see that while print("import") would trigger the block on the word 'import', we can get around it the block with print("im" + "port") as shown above.

We know that 'import' and 'exec' are blacklisted, but 'eval()' is not! So if we can get eval() to import the 'os' module, we can then execute the binary. However, eval() works only on expressions but 'import' is a statement. So in order to counter this, we can try __import__ ("os")

We can see that we are now able to successfully import the module os. It is pretty straightforward after this point. The following expression will allow us to execute the binary:

>>> eval('__im'+'port__ ("os")').system('./i_escaped')

KringleCon | HR Incident Response | CTF Challenge Solution

Written by Pranshu Bajpai | Twitter | LinkedIn

Question 7 HR Incident Response

In this challenge, we are given a website with CSV upload capability and are asked to somehow gather information from the contents of the file: C:\candidate_evaluation.docx. Since the website allows CSV uploads, we can try some CSV injections to see if we can access the contents of the DOCX file. 

Now the file is stored in the root directory of C drive on a Windows system. To be able to access its contents, we need to "move" it to a public directory visible over the web. If we try to access a non-existent file then we are given the following error message.

This unnecessarily descriptive error message tells us two things: 1) the DOCX we are looking for does not currently reside in the /public/ directory, and 2) the absolute path to the /public/ directory is: C:\careerportal\resources\public\

So now we try to "move" the DOCX from the root directory to the public directory where we can access it. However, thinking about it, moving a file like that is more problematic in terms of permission issues. It is easier to just copy the file to the public directory. Now that we have an idea of what we need to do, we can move on to actually implementing it in terms of a CSV injection.

Our CSV injection only requires a simple copy command that will execute on the Windows system on the server side and perform the necessary copy operation. So let us create the following CSV file in a text editor:

=cmd|'/C copy C:\candidate_evaluation.docx C:\careerportal\resources\public\whothis.docx'!A0

A glitch I noticed in the way the CTF challenge was setup was that if there's a space between the '=cmd|' and the following ' (single quote) in the injection shown above, then the copy would not work on the server. However, when tested on a local Windows system, it works perfectly fine whether or not the space is present. For the sake of the challenge, we do it without the space and upload this CSV on the career portal website. After a few seconds, we are able to access the DOCX file in the public directory which indicates that the CSV command injection succeeded on server side.

I did not trust to open the DOCX on my local system, so I converted it to a PDF online and opened the resulting PDF which contained the sensitive information we needed to progress to the next challenge.

Password: Fancy Beaver

KringleCon | Dev Ops Fail | CTF Challenge Solution

Written by Pranshu Bajpai | Twitter | LinkedIn

Sparkle Redberry: Dev Ops Fail

In this challenge, we are asked to see if there are any credentials exposed as a result of git operations. We list the contents of the current directory and notice the directory containing the git repository. Once we cd into this directory, we see the files within the repository.

Judging by what the challenge has provided us so far, at some point, one of these files contained sensitive credentials hardcoded into it and then the repository was updated to remove them. To verify this, let us take a look at the git commit history:

git log

Notice git commit '60a2ffea7520ee980a5fc60177ff4d0633f2516b' is when the username/password was removed from config.js. So we want to revert the repository back to the state right before that commit. The commit right before that was 'b2376f4a93ca1889ba7d947c2d14be9a5d138802', so let us revert back to it.

git reset --soft b2376f4a93ca1889ba7d947c2d14be9a5d138802

We can now see the credentials hardcoded in the config.js file. 

Password: twinkletwinkletwinkle

KringleCon | Badge Manipulation Question 6 | CTF Challenge Solution

Written by Pranshu Bajpai | Twitter | LinkedIn

Question 6: Badge Manipulation

The objective for this challenge is simple -- we need to bypass the authentication mechanism. The way the authentication works is the machine "Scanomatic" scan a QR code on an employee badge and grants access depending if the QR code matches a proper record in the back-end database. So we immediately think of the possibility of an SQL injection attack here since the back-end database is involved. There are two ways of entering the QR code into the system: 1) scan it using the integrated webcam or 2) upload a QR code image. 2) is a much safer option since I am uncomfortable with the idea of enabling webcam access for a CTF website. Also, I have a webcam protector physically blocking my webcam and I have no intention of taking it down for this challenge.

So we need a way to inject SQL queries into the database. But first we need to have the SQL queries in the form of a QR code. This online QR code generator is pretty helpful. It accepts text input and converts it into QR code and provides the relevant image. We can then upload this image to the web interface.

So let us begin as we begin all SQL injection attacks. Test it with a single quote ' injected into the database and see if we can generate an error message. Sure enough, we see an error message that tells us all that we need to know.

It shows us a long error message which clearly identifies that the database type is MariaDB and that the SQL query is:

select first_name,last_name,enabled from employees where authorized = 1 and uid='{}' "limit 1".format({uid})

Now that is all that we needed to inject some valid SQL in there that can bypass authentication. So what do we need to bypass authentication? Basically, the account should be authorized and enabled. 

To make the query valid we can use the # to comment out the rest of the query after our point of injection. Our point of injection is the field 'uid'. So we can the end uid field with single quote ' followed by a #. So we try the following injection:

' #

That gives us a 'no authorized user account found' error message.

Alright, so we need to provide it an always True condition to nullify the 'where authorized = 1' part of the query. So let's try the following injection:

' or 1=1 #

The '1=1' part in our injection is the always true and nullifies the authorization = 1 part.  When we try this injection, we are presented with a new error message: 'authorized user account has been disabled'.

We need one final bypass for the 'enabled' part of the SQL query. So we need to formulate our injection such that both authorization and enabled are bypassed. Let's try the following:

' or enabled = 1 #

This ensures that it shows us a record of the first employee where the account is currently enabled. Finally, we are able to bypass authentication and are greeted with an 'access granted' message that reveals the control number that we need to solve this challenge. Note that after this injection, our SQL query would basically take this form:

select first_name,last_name,enabled from employees where authorized = 1 and uid='' or enabled = 1 #

Answer: 19880715

KringleCon | Yule Log Analysis | CTF Challenge Solution

Written by Pranshu Bajpai | Twitter | LinkedIn

Pepper Minstix: Yule Log Analysis

 

As part of this challenge, we are looking at Microsoft Event Viewer Logs to discover an instance of password spraying that eventually succeeded. Password spraying is when attackers use different usernames in rotation to attempt login. This is done to prevent account lockout during password guessing or brute forcing. For example, if an attacker provides incorrect password more than 3 times within a certain time period for the same account, they would be locked out. However, if they tried the same password for different usernames, they would buy themselves more time before hitting the same username again with a different password. This has the potential to prevent account lockout which allows the attackers to keep going.

We are to look for evidence of password spraying in the logs and zero in on an instance when the attackers were able to successfully login as a user. The solution to the challenge will then be the user that the attackers logged in as. We are provided with a python log parser that is able to read the logs and provide us with intelligible logs. As expected, there is a lot of events in the logs which would take us a long time to manually go through. So we need to write regex or grep queries to quickly locate events of interest. Let's take a look at the logs:

evtx_dump.py ho-ho-no.evtx | more

It's a markup format with each event enclosed with the <Event> tags and identified with EventID. To understand the EventIDs, we refer to this resource online. Basically, we need to understand what these event IDs imply. Looking at the resource, we are able to determine that EventID 4624 refers to a successful login where as 4625 means that an account failed to logon.

ID	Message
4624	An account was successfully logged on.
4625	An account failed to log on.

A password spraying attack would involve a series of 4625 events with different usernames. In this case, we are investigating a successful login by the adversary so we know that it will be a series of 4625 event, followed by a 4624 event (successful login). Then to solve this challenge, we have to extract the username from that 4624 event. So let us begin analyzing the logs with this information in mind.

First, let's look for a lot of 4625 events to identify our adversary:

evtx_dump.py ho-ho-no.evtx | grep "4625" -A 20 -B 20

Looks like a majority of the 4625 events are initiated by the remote IP address: 172.31.254.101. So I'm thinking that is our threat actor. Note that their SID is S-1-5-18. Now using this information, we zero in on their activities -- particularly, we try to figure out where they got a 4624 event (meaning they successfully logged in).

evtx_dump.py ho-ho-no.evtx | grep 'ess">172.31' -A 10 -B 35 | grep "S-1-5-18" -A 22 -B 16 | grep "4624" -A 35 -B 1

This record clearly shows that the threat actor 172.31.254.101 logged in successfully (4624) with the username minty.candycane.

Answer: minty.candycane

KringleCon | CURLing Master & AD Privilege Discovery | CTF Challenge Solution

Written by Pranshu Bajpai | Twitter | LinkedIn

Holly Evergreen: CURLing Master

 

We know that the candy striper machine can be turned on by sending a request to port 8080 on localhost (127.0.0.1). But we do not know what request to send. To investigate further, we send a generic request for the URL localhost at port 8080. We weren’t able to get an intelligible response to this request. Recall that Holly Evergreen hinted at HTTP2. We use the  --http2 option in curl to see if we can get an intelligible response. No good. So we try again with the --http2-prior-knowledge option and are able to get a readable response from the server. This response tells us that we simply need to make a POST request with the parameter status set to on.

We are able to get the candy stripper machine started after sending the required POST request in the following manner:

  curl http://localhost:8080 --http2-prior-knowledge -d status=on

Question 5 AD Privilege Discovery

 

This challenge asks us to find a reliable path from a Kerberoastable user to the Domain Admins group. This is easy to do using the tool bloodhound. We are given an virtual machine image as part of the challenge with the tool and the relevant data already loaded on it. All we have to do is mount the image and utilize the bloodhound tool to locate the Kerberoastable users.

Bloodhound has preset queries, one of which is 'shortest path to domain admins from Kerberoastable users. We use this query and are presented with the following path diagram that shows paths from Kerberoastable users to domain admins. After we eliminate any path that has RDP, the shortest path we get is from user LDUBEJ00320@AD.KRINGLECASTLE.COM

Answer: LDUBEJ00320@AD.KRINGLECASTLE.COM

KringleCon | Stall Mucking Report & Data Repo Analysis | CTF Challenge Solution

Written by Pranshu Bajpai | Twitter | LinkedIn

Wunorse Openslae: Stall Mucking Report

We are told that a Samba share with shared network credentials is used to upload the file on the server. These 

shared credentials can be revealed via ‘ps’ if they were entered in command-line mode. We use ps with the -e 

(view every process on system) and -ww (unlimited width) flag to reveal the username and password used for 

uploading the report.

Once we have the credentials, we can use them to upload the report using smbclient:

smbclient //localhost/report-upload/ -c ‘report.txt ; put report.txt’ -U 

report-upload directreindeerflatterystable

Bonus

The password to the Samba share (‘directreindeerflatterystable’) seems to be a play on 

‘correcthorsebatterystaple’ -- the xkcd comic.

Suggested remediation: Using something like secret-tool to look up passwords in the Gnome keyring is 

safer than passing credentials in the command-line or storing them in a file.

Question 4

Wunorse Openslae gave us the tip to use the tool ‘truffleHog’ to dig through code repositories for exposed 

credentials. TruffleHog searches through repos, locating strings with high entropy. Sensitive information such 

as passwords traditionally have higher entropy. This tool was a great find for me and it quite straightforward to 

use. It was able to locate the password in the North Pole Git repository in no time.

trufflehog https://git.kringlecastle.com/Upatree/santas_castle_automation

So much for “hopefully this is the last time we have to change our password against until next Christmas”.

KringleCon | Tangle Coalbox & de Bruijn Sequences | CTF Solution

Written by Pranshu Bajpai | Twitter | LinkedIn

Tangle Coalbox: Lethal ForensicELFication

The poem that introduces the challenge talks about certain “text editors” leaving behind clues. Vim immediately 

comes to mind. We know that Vim logs information about deletions and searchers into a file called .viminfo. 

By default it is stored at ~/.viminfo. The dot (.) represents a hidden file. So we perform a file listing with -a 

option to see the hidden files. We notice .viminfo and pull out its contents. We notice that a search and replace 

was done that substituted the word Elinore with NEVERMORE.

We can turn off Vim logging by using :set viminfo=

Answer: Elinore

Question 3 de Bruijn Sequences

This question asks us what welcome message greets the speaker. If we look at the website that holds the door 

authentication challenge, we find that the welcome message is exposed in the HTML.

This allows us to directly access the victory banner image and gather the victory message and complete the 

challenge. However, to actually unlock the door, we can either follow the suggested de Bruijn Sequences or 

perform an exhaustive search for the permutation that opens the door. There are only 4 x 4 x 4 x 4 = 256 

possible candidates. I decided to brute force it and used Burp Suite Intruder to send all possible candidates to 

the server and notice which one garners a positive response from the server.

We notice that the sequence 0120 was accepted as the correct guess by the server. So we now know that the 

correct sequence of shapes is as follows:

Answer: Welcome unprepared speaker!

KringleCon | The Name Game & Directory Browsing | CTF Challenge Solution

Written by Pranshu Bajpai | Twitter | LinkedIn

Minty Candycane: The Name Game

This challenge presents us with an onboarding system written in Powershell. There’s a command injection 
vulnerability in the system that allows us to injection arbitrary commands after the ; is used to end the previous
query. For example, we can select option 2 in the onboarding system, and inject:

; sqlite3 ;

This allows us to enter the sqlite environment where we can query the database to discover the relevant
information as shown in the figure.

Answer: Scott

Question 2 Directory Browsing

This one a simple directory traversal vulnerability where when we click on ‘apply now’, we are redirected to the
following URL:

https://cfp.kringlecastle.com/cfp/cfp.html

If we remove the cfp.html and try to navigate to the cfp directory, the directory traversal vulnerability is apparent.
The files in this directory are listed for everyone on the Internet to see. We can now access ‘rejected_talks.csv’ 
which gives us the information we need to progress to the next challenge.

Answer: John McClane

KringleCon | Essential Editor Skills & Orientation Challenge | CTF Solution

Written by Pranshu Bajpai | Twitter | LinkedIn

Bushy Evergreen: Essential Editor Skills

This challenge asked us to exit a vi terminal screen. This one was quite easy. We know that the way to do that is 
‘ESC + :q’ or ESC + ‘:q!’. Additional vi shortcuts are listed here: 
http://www.atmos.albany.edu/daes/atmclasses/atm350/vi_cheat_sheet.pdf

Bushy now reveals that we can glean the answers to the next question from the past challenges or by hearing Ed’s 
welcome talk.

Question 1 Orientation Challenge

Past challenges’ storyboards are available at:

• https://www.holidayhackchallenge.com/2017/
• https://www.holidayhackchallenge.com/2016/
• https://www.holidayhackchallenge.com/2015/

We go through these challenges quickly to determine the answers to the quiz questions. For example, the answer
to the first question is ‘firmware’ as shown by “Firmware Analysis for Fun and Profit” in the 2015 holiday hack 
challenges.

• Answer 1: Firmware  
• Answer 2: ATNAS  
• Answer 3: Business card  
• Answer 4: Cranberry Pi  
• Answer 5: Snowballs  
• Answer 6: The great book

Selecting all the correct answers reveals the secret code ‘Happy Trails’ to progress to the next stage.

Repair Bootcamp partition boot entry missing after disk resize

Written by Pranshu Bajpai | Twitter | LinkedIn

I recently installed the latest copy of Mac OS X and lost the Bootcamp Windows partition boot entry from the MBR (Master Boot Record). It took a series of steps to get the Bootcamp partition boot entry back into the MBR and so I decided to document the procedure. On an unrelated note, this write up also involved resetting the Windows 7 password since I realized that I forgot the Windows password.

The problem is that when the disk structure is modified, the Bootcamp boot entry is lost from the MBR. However, the partition still exists and the files within the Bootcamp partition are untouched. This can be verified by logging into the alternate OS (Mac OS X) and using Disk Utility to look at the partition structure. The Bootcamp partition should still be there. If it is, the file explorer can be used to verify that the files within the Bootcamp partition all still exist. We can now begin restoration of the Bootcamp boot entry.

Step 1. Obtain gptfdisk

 

Head over to sourceforge and obtain the latest copy of gptfdisk: https://sourceforge.net/projects/gptfdisk/

We will use this tool to derive some disk information. After installing this tool, bring up a Terminal window and execute:

sudo gpt -r -vv show disk0
sudo fdisk /dev/disk0
diskutil list

Locate the Bootcamp partition and notice the partition number assigned to it. In my case, it was 5. You can also verify this in Disk Utility where clicking info about the Bootcamp partition should show something like disk0s5,also note that the bootable flag is likely set to no at this time.

Now that we are equipped with the knowledge of what the disk number is for the Bootcamp partition, we can begin the procedure of restoring the Bootcamp entry in MBR.

Step 2. Restore Bootcamp entry in the MBR

 

Use the gdisk tool as follows to restore the partition entry:

sudo gdisk /dev/disk0
r
h
5
Place EFI GPT (0xEE) partition first in MBR (good for GRUB)? y
accept default code of 07
set bootable flag? y
do not protect more partitions? n
o
w
proceed? y

Exit the terminal at this point and restart Mac. Press and hold the ALT key at boot time and the Bootcamp boot entry should now appear in the MBR. We have fixed the problem.

Addendum

 

I forgot the Windows 7 password since I hadn't logged into for a while (I don't really use this Windows partition for another but to play some games and I couldn't even do that with the Bootcamp boot entry missing). So now I had to find a way to reset Windows 7 password. Turns out the old renaming sethc, copying command prompt executable and renaming it sethc.exe trick still works! Here's how it goes.

Step 1. Restart Windows and hard reset (long press the power button) as the Windows icon appears on the screen. Windows should now start in repair mode.

Step 2. Take advantage of the repair mode and wait for it to attempt the repair (this takes several minutes). Once done, click view report details and click on the link down below that ends in a .txt. This will open the report in text editor.

 

Step 3. Use the open feature of text editor to navigate to Windows/system32 directory and rename sethc to something random. Now make a copy of cmd.exe and rename this copy to sethc.

We have now renamed a copy of command prompt and associated it with the sticky keys functionality.

Step 4. We boot into Windows again and arrive at the login screen. At this point, we press sticky keys 5 times to active the sticky keys functionality, which will now fire up the command prompt.

Step 5. We now take advantage of the command prompt to execute the following commands to reset the password

net user
net user <USERNAME> *

We have now successfully changed the password and can now use this password to login.

[Video] CascadiaJS 2018 - Raiders of the Javascript-based Ransomware - Pranshu Bajpai

Written by Pranshu Bajpai | Join me on Google+ | LinkedIn

The talk below details Javascript-based malware threats that we have observed in the wild. Traditionally, malware is developed in languages such as C and C++, and so studying Javascript-based malware threats has been an interesting exercise for us.

In this CascadiaJS talk, I share intricacies of the RAA ransomware, the first ransomware written entirely in Javascript, and Cryptojacking attacks. CascadiaJS was a great venue to share this analysis since it brings together Javascript experts and enthusiasts. Please watch the talk embedded below.

[Video] ToorCon XX - Ransomware versus Cryptojacking - Pranshu Bajpai

Written by Pranshu Bajpai | Join me on Google+ | LinkedIn

I recently spoke at ToorCon XX about the dangers of modern ransomware and cryptojacking attacks. These are the top malware threats in 2018 and as part of the Security Research Group at MSU, I was closely following the threat patterns. The video for the talk has now been released by ToorCon, and the video and talk abstract are provided below.

Ransomware and cryptojacking have been recognized as the top malware threats in 2018. Financially motivated cybercriminals are attracted to both since both remain viable means of generating illicit income. In this talk, we delve deep into the latest characteristics observed in ransomware and cryptojacking attacks. Modern ransomware go beyond mere data encryption and come bundled with other threats, while cryptojacking attacks exploit unsuspecting web users by deploying embedded JavaScript miners concealed in websites. We discuss the intricate characteristics of sophisticated modern ransomware variants, cryptojacking attacks, and the results of our web crawl identifying websites involved in cryptojacking. Finally, we compare ransomware and cryptojacking in terms of their potential to generate illicit income for cybercriminals versus the levels of sophistication required to implement their respective campaigns.

Modern malware present multi-faceted threats that leverage a variety of attack vectors. Leading the malware threatscape in 2018 are ransomware and cryptojacking attacks, and the more evolved variants are now implementing targeted attacks against organizations (e.g. SamSam). These modern ransomware include a hybrid cryptosystem that uses a combination of symmetric and asymmetric cryptography. In recent practice, ransomware are going beyond mere data encryption and come bundled with other threats. We present real-world cases of ransomware where we observed these cryptoviral extortions drop trojan horses (e.g. RAA dropping pony) and cryptominers (e.g. BlackRuby). Our research shows that these secondary infections remain active on host even after the ransom is paid. During this talk, we will also discuss how elliptic curve cryptography (ECIES) is deployed in modern ransomware (e.g. Petya and PetrWrap) and the tactical advantages it provides (over RSA) to ransomware operators. We will show how many ransomware variants purge shadow copies (via vssadmin), encrypt network backups (using WNetAddConnection2), and use the latest anti-virus circumvention techniques such as “process doppelganging” (e.g. SynAck ransomware). In addition, we will discuss the results of our preliminary web crawl that identified cryptojacking scripts embedded across a variety of websites. We will discuss just how cryptojacking works, why it is rampantly spreading, how it effects organizations and individuals and how to effectively protect an organization and its employees against it.

In conclusion, we will discuss the future of the most potent ransomware and cryptojacking malware as predicted via analysis of real-world malware samples observed lately in the wild. We will also explore new attack vectors (besides phishing) deployed by these malware such as exploiting critical vulnerabilities (e.g. the infamous EternalBlue) or brute forcing remote services (e.g. RDP or SSH). All arguments presented during the talk will be backed by empirical evidence in form of system snapshots, code snippets, and network packet dumps as collected from real-world malware.

[Video] Crypto Gone Rogue: A Tale of Ransomware, Key Management, and CryptoAPI - GrrCon 2018

Written by Pranshu Bajpai | Join me on Google+ | LinkedIn


I recently spoke at GrrCon 2018 about how ransomware actually implement key management models by abusing the resident CryptoAPI on host systems. This 25 minute talk goes deep into explaining what the CryptoAPI entails on a Windows system, what DLLs the ransomware imports, what functions from these DLLs are used by the ransomware, and how Cryptographic Service Providers (CSPs) come into the picture.

This talk also demonstrates the concepts by taking the example of the infamous "NotPetya" ransomware. We reverse engineer the NotPeya malware in IDA disassembler and discuss the cryptographic functions being imported from DLLs on Windows.

 Ransomware such as WannaCry and Petya have been heavily focused upon in the news but are their cryptographic models different from predecessors? Key management is crucial to these cryptoviral extortions and for convenience, they harness the power of resident Crypto APIs available on host. Simply stated, they command victim’s resources to lock victim’s resources. In this talk, we examine popular key management models deployed in infamous cryptovirii with the ultimate objective of providing a deeper comprehension of exactly how resident APIs are being used against users. On a Windows host, CryptoAPI (CAPI) provides cryptographic services to applications. CSPs are sets of DLLs that are associated with CAPI implementing cryptographic functions such as CryptAcquireContext, CryptGenKey, CryptEncrypt, CryptImportKey, CryptExportKey, CryptDestroyKey. In Windows Vista and later, CNG replaces CAPI and the ransomware menace persists. We explain cryptographic functions exploited by several ransomware families and explore answers to crucial questions such as how and where the encryption key is generated, where it is stored, how it is protected while encrypting user data, and how it is securely purged. We provide graphical representations combined with pseudo-codes embodying real-world Crypto API function calls pertaining to key management in ransomware. This talk delves deep into key management in present-day ransomware and is a direct result of real-world case studies of highly virulent infections. Dissections will be shown to back up the arguments.

You can watch the video here: