A Study on Decryption of Files Infected by Ragnar Locker Ransomware through Key Reuse Attack and Its Applications
![]() |
Kang, Soojin
(Kookmin University)
Lee, Sehoon (Kookmin University) Kim, Soram (Kookmin University) Kim, Daeun (Korea Internet & Security Agency) Kim, Kimoon (Korea Internet & Security Agency) Kim, Jongsung (Kookmin University) |
1 | Securityweek, "Netherlands University Pays $240,000 After Targeted Ransomware Attack", https://www.securityweek.com/netherlands-university-pays-240000-after-targeted-ransomware-attack, Feb. 2020. |
2 | ZDNet, "Ransomware gang publishes tens of GBs of internal data from LG and Xerox", https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/, Aug. 2020. |
3 | Rupprecht, David, et al. "Call Me Maybe: Eavesdropping Encrypted {LTE} Calls With ReVoLTE." 29th {USENIX} Security Symposium ({USENIX} Security 20), pp. 73-88, Aug. 2020. |
4 | Sehoon Lee, Byungchul Youn, Soram Kim, Giyoon Kim, Yeongju Lee, Daeun Kim, Haeryong Park, Jongsung Kim, "A Study on Encryption Process and Decryption of Ransomware in 2019", Journal of The Korea Institute of Information Security & Cryptology, 29(6), pp.1339-1350, Dec. 2019. DOI |
5 | Bernstein, Daniel J. "Salsa20 specification." eSTREAM Project algorithm description, http://www.ecrypt.eu.org/stream/salsa20pf.html, 2005. |
6 | Bajpai, Pranshu, Aditya K. Sood, and Richard Enbody. "A key-management-based taxonomy for ransomware." 2018 APWG Symposium on Electronic Crime Research (eCrime). IEEE, pp. 1-12, May. 2018. |
7 | AhnLab, "2019 ransomware trends", https://asec.ahnlab.com/1241, Jul. 2019. |
8 | Binary Defense, "Travel Company CWT Pays $4.5 Million USD Ransom to Ragnar Locker Operators", https://www.binarydefense.com/threat_watch/travel-company-cwt-pays-4-5-million-usd-ransom-to-ragnar-locker-operators/, Aug. 2020. |
9 | PortandTerminal, "CMA CGM up and running again following ransomware attack", https://www.portandterminal.com/cma-cgm-up-and-running-again-following-ransomware-attack/, Sep. 2020. |
10 | Bleeping Computer, "Campari hit by Ragnar Locker Ransomware, $15 million d emanded", https://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/, Nov. 2020. |
11 | Bleeping Computer, "Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen", https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/, Nov. 2020. |
12 | Microsoft Docs, "CryptGenRandom function (wincrypt.h)", https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom, Dec. 2020. |
13 | Jinseong Park, Seunghee Seo, Yeog Kim, Changhoon Lee, "A Study of the Decryption Method of LockMyPix's Media Files for Forensic Analysis", Journal of Digital Forensics, 14(3), pp. 269-278, Sep. 2020. DOI |
14 | Jinseong Park, Seunghee Seo, Byoungjin Seok, Changhoon Lee, "A Research on App Data Decryption Using Encryption Key Reuse Vulnerability in Digital Forensic Perspective", CISC-W'20, pp. 185-188, Nov. 2020 |
15 | Microsoft Docs, "ExitProcess function (processthreadsapi.h)",https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-exitprocess, Dec. 2020. |
16 | Gonzalez, Daniel, and Thaier Hayajneh. "Detection and prevention of cryptoransomware." 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), pp. 472-478, Oct. 2017. |
17 | Jung, S., Won, Y. "Ransomware detection method based on context-aware entropy analysis". Soft Computing 22(20), pp. 6731-6740. 2018. DOI |
18 | Scaife, Nolen, et al. "Cryptolock (and drop it): stopping ransomware attacks on user data." 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303-312, Jun. 2016. |
19 | Suhyeon Lee et al., "Ransomware protection using the moving target defense perspective," Computers & Electrical Engineering, Volume 78, pp. 288-299, Sep. 2019. DOI |
20 | K. Cabaj and W. Mazurczyk, "Using Software-Defined Networking for Ransomw are Mitigation: The Case of CryptoWall," in IEEE Network, vol. 30, no. 6, pp. 14-20, Nov. 2016. DOI |
21 | Kim, Donghyeon, and Kangseok Kim. "DGA-DNS Similarity Analysis and APT Attack Detection Using N-gram." Journal of the Korea Institute of Information Security & Cryptology 28(5), pp. 1141-1151, Oct. 2018 DOI |
22 | Sehoon Lee, Soram Kim, Giyoon Kim, Daeun Kim, Haeryong Park, Joungsung Kim, "A Study on the Decryption of Donut Ransomware through Memory Analysis", Journal of Digital Forensics, 13(1), pp. 13-22, Mar. 2019. DOI |
23 | K. Lee, S. Lee and K. Yim, "Machine Learning Based File Entropy Analysis for Ransomware Detection in Backup Systems," in IEEE Access, vol. 7, pp. 110205-110215, Jul. 2019. DOI |
24 | Tech Target, "Ragnar Locker ransomware attack hides inside virtual machine", https://searchsecurity.techtarget.com/news/252483581/Ragnar-Locker-ransomware-attackhides-inside-virtual-machine, May. 2020. |
25 | ZDNet, "Energy company EDP confirms cyberattack, Ragnar Locker ransomware blamed", https://www.zdnet.com/article/edp-energy-confirms-cyberattack-ragnarlocker-ransomware-blamed/, Jul. 2020. |
26 | Continella, Andrea, et al. "ShieldFS: a self-healing, ransomware-aware filesystem." Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336-347, Dec. 2016. |
27 | SecureWorld, "Special Security Advisory: 'Ryuk Ransomware Targeting Organi zations Globally'", https://www.secureworldexpo.com/industry-news/how-ryuk-r ansomware-works, Sep. 2019 |
![]() |