RansomClave ransomware uses Intel SGX to store encryption keys

A team of experts at the University of London has developed an experimental RansomClave ransomware that uses highly secure Intel SGX enclaves to hide and store encryption keys.

“The life cycle of a typical ransomware attack goes through four main phases: installation, creation of a unique public / private encryption key, encryption (using symmetric keys), and ransomware / private key release. For the operation to be successful, the private key generated in the second phase must be securely stored and released only at the end of the last phase, after the victim pays the ransom, ”the researchers explained.

Currently, several ransomware samples generate and store encryption keys in untrusted areas of computer memory. Upon completion of the encryption process, the keys are reset and deleted after a system reboot. On rare occasions, victims may get lucky, and incident response teams will be able to retrieve copies of the keys from memory before they are deleted and recover encrypted files.

A team of experts at the University of London decided to find out if ransomware can protect its encryption keys during an attack using a Trusted Execution Environment (TEE), often used in the cloud.

TEEs, also known as CPU enclaves, are separate areas within a processor where the OS or local applications (including ransomware) can load and run code that other processes cannot access.

During the research, the team developed experimental ransomware RansomClave, which uses Intel SGX enclaves to securely store encryption keys. In addition, the ransomware uses enclaves to automatically decrypt files on an infected host when the enclave detects that the required amount has been sent to the correct cryptocurrency address.

Experts have no doubt that projects like RansomClave will certainly be of interest to cyber ransomware groups. In this regard, they intend not to open the code of their ransomware.

Previous Post Next Post