Intercepting entropy: hooking PRNG to recover ransomware encryption keys — Raviv Rachmiel скачать в хорошем качестве

Intercepting entropy: hooking PRNG to recover ransomware encryption keys — Raviv Rachmiel

Intercepting entropy: hooking PRNG to recover ransomware encryption keys Presented at the VB2025 conference in Berlin, 24 - 26 September 2025. ↓ Slides: https://www.virusbulletin.com/uploads... ↓ Paper: https://www.virusbulletin.com/uploads... → Details: https://www.virusbulletin.com/confere... ✪ PRESENTED BY ✪ • Raviv Rachmiel (Draastic) ✪ ABSTRACT ✪ Modern ransomware combines strong cryptography with pseudo-random number generation (PRNG). They work by generating a unique key to encrypt each file, releasing them back to the victim after the ransom is paid. We suggest a novel approach for stopping these attacks by "hooking" PRNG operations, allowing us to securely store seeds aside and uncover the keys. A proactive technique of "hooking" seed generation operations to safeguard the properties necessary for symmetric key restoration can neutralize the advantage of ransomware using strong encryption: defenders and analysts can retrieve encryption keys on the fly to decrypt ransomware-locked files without the attacker's help, or to decode configuration data and network traffic. We draw inspiration from successful strategies and previous work such as the ShieldFS project, which implemented a filesystem-level ransomware interception POC using COW methods and extending these ideas into the realm of PRNG seed hooking. The talk will outline the design of our tool – capable of monitoring and hooking pseudo-random number generation across the Windows OS – and demonstrate its effectiveness through a case study. At the end, attendees will grasp not only the concept of PRNG seed interception but also practical reverse engineering skills to decrypt ransomware encryption protocols. This approach, conceptual and high-level at present, paves the way for innovative defensive products and forensic techniques that turn ransomware's randomness against it, offering a new layer of resilience against ransomware and other seed-dependent threats.