WO2021098968A1 - Device and method for ransomware decryption - Google Patents

Device and method for ransomware decryption Download PDF

Info

Publication number
WO2021098968A1
WO2021098968A1 PCT/EP2019/082185 EP2019082185W WO2021098968A1 WO 2021098968 A1 WO2021098968 A1 WO 2021098968A1 EP 2019082185 W EP2019082185 W EP 2019082185W WO 2021098968 A1 WO2021098968 A1 WO 2021098968A1
Authority
WO
WIPO (PCT)
Prior art keywords
ransomware
encrypted
decryption
backup image
files
Prior art date
Application number
PCT/EP2019/082185
Other languages
French (fr)
Inventor
Aviv Kuvent
Assaf Natanzon
Yaron MOR
Asaf Yeger
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to PCT/EP2019/082185 priority Critical patent/WO2021098968A1/en
Priority to CN201980086619.XA priority patent/CN113228016A/en
Publication of WO2021098968A1 publication Critical patent/WO2021098968A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the present disclosure relates to a data decryption method, in particular, to an automatic decryption method after a ransomware attack.
  • the disclosure provides, to this end, a device for ransomware decryption and a corresponding method, and a system for ransomware decryption comprising the device.
  • Ransom malware or ransomware, is a type of malware that prevents users from accessing their data (usually by encrypting the data), and then demands a ransom payment from the users, in order to regain access (decrypt the encrypted data).
  • ransomware has become more prevalent.
  • Various cyber security companies e.g., Kaspersky, Avast, Emsisoft
  • decryption tools also named as decryptors, e.g., Rannoh Decryptor from Kaspersky
  • decryptors also named as decryptors, e.g., Rannoh Decryptor from Kaspersky
  • ransomware decryptors require the users to manually operate the decryptors, including to identify the ransomware, to choose a decryptor, and to install and ran it. Furthermore, for more advanced variations of ransomware, the decryptors may impose limitations, such as that it is required to provide a pair of files, in particular one non- encrypted file and one encrypted version of the same file. Additional limitations might be that the size of the file provided to the decryptor has to be maximized, since some decryptors can only decrypt files less than or equal the size of the provided file, in a given pair of files.
  • the application may continue to backup user data including data encrypted by the ransomware, thereby resulting in unusable backups of the system and a loss of data.
  • the existing solutions either require the users to use an existing database to identify a ransomware, and to locate appropriate decryption tools for it, and then to manually install and run the ransomware, and to manually verify a correctness of the decryption.
  • Some data protection systems monitor the protected environments and alert the user when they suspect that the environment is under attack by a ransomware. However, such systems do not provide a solution for the case where the ransomware has already managed to encrypt a part of the environment prior to the detection. Other data protection systems may recover older versions of encrypted files. However, for such systems, any new data which has been created after the latest pre-ransomware backup will be loss.
  • the embodiments of the present disclosure aim to provide an improved ransomware decryption method.
  • An objective is to provide an automatic process of ransomware decryption, which neither requires a user to manually select and install a decryption tool, nor to select an input for the decryption tool.
  • One aim is to perform the decryption based on a lineage created by a backup system.
  • a first aspect of the disclosure provides a device for ransomware decryption, wherein the device is configured to: obtain a first backup image of user data at a first time point, Tl, and a second backup image of the user data at a second time point, T2, wherein T2 is later than Tl; detect, whether one or more files of the user data were encrypted by a ransomware between the time point T1 and the time point T2; and decrypt one or more files determined encrypted by the ransomware, using the first backup image and the second backup image.
  • a lineage-based decryption method is provided, which relies on an existence of history for some of encrypted files.
  • the device of the first aspect does not require a user to manually select and install a decryption tool, nor does it require the user to select an input for the decryption tool.
  • an improved ransomware decryption device is provided.
  • the device is configured to: analyze the first backup image and the second backup image; and determine that a file was encrypted by the ransomware between the time point T1 and the time point T2, if the file is not encrypted in the first backup image but is encrypted in the second backup image.
  • a check may be, e.g., automatically, performed to detect ransomware.
  • ransomware can be detected via extensions of files, location of some “ransom instruction” files, which the ransomware creates, or based on changes since the previous backup was performed.
  • the device is configured to: identify the ransomware; obtain and install a first decryption tool that is relevant to the ransomware; and decrypt the one or more files determined encrypted by the ransomware using the installed first decryption tool.
  • the ransomware may be identified via either use of an existing tool, or development of a dedicated tool for ransomware identification. Accordingly, a corresponding decryption tool will be, e.g. automatically, selected for that ransomware, which provides better decryption efficiency.
  • the device is configured to: maintain a database mapping a plurality of ransomwares to a plurality of decryption tools, wherein each decryption tool being relevant to a ransomware.
  • a database which contains a mapping of various ransomwares to relevant decryption tools, can be consulted for selecting the decryption tool.
  • This database may be maintained and/or continually updated by the device.
  • an external (existing) ransomware database e.g., from some cyber security companies, can also be used.
  • the device is configured to: select a first file from the one or more files determined encrypted by the ransomware; obtain a non- encrypted version and an encrypted version of the first file from the first backup image and the second backup image, respectively; and generate one or more encrypting keys based on the non-encrypted version and the encrypted version of the first file.
  • the decryption tool may require one or more files, in order to perform the decryption, the one or more files may be automatically selected.
  • the decryption tool may require a pair of files, i.e., before and after the encryption. In some other cases, perhaps only an encrypted file is required.
  • the device is configured to: decrypt the one or more files determined encrypted by the ransomware based on the one or more generated encrypting keys.
  • the device is configured to: select, as the first file, a file according to a determined selection criterion among the one or more files determined encrypted by the ransomware.
  • the determined selection criterion may refer to as selecting a file optimal for usage of the installed decryption tool. For instance, for some of the decryption tools, the larger the file, the more of the other encrypted files can be decrypted. In such case, a largest file among the files determined encrypted may be selected as the first file.
  • the device is configured to: validate a correctness of a decryption of the one or more files determined encrypted by the ransomware, using the first backup image and the second backup image.
  • one decryption tool may in some cases not perfectly decrypt all encrypted files, or the encrypted files may be not be decrypted absolutely correct by that decryption tool.
  • the device may thus perform an automatic validation process, to check a correctness of the decryption process.
  • the device is configured to: validate the correctness of a decryption of the one or more files determined encrypted by the ransomware, by comparing non-encrypted version of the one or more files in the first backup image to respective decrypted version of the one or more files obtained after decrypting the files determined encrypted.
  • an original file i.e., non-encrypted version of that file
  • a decryption version of that file i.e., the file obtained after the decrypting.
  • the device is configured to: obtain and install a second decryption tool that is relevant to the ransomware; and decrypt the files determined encrypted by the ransomware with the installed second decryption tool.
  • decryption tool there may be more than one decryption tool that can be relevant to one specific ransomware.
  • another decryption tool may thus be automatically installed, and may run on the device, to ensure maximal number of successfully decrypted files.
  • the device after decrypting the file determined encrypted by the ransomware, the device is configured to: store the second backup image including the decrypted versions of the one or more files determined encrypted by the ransomware; or store the second backup image including the encrypted versions of the one or more files determined encrypted, and additionally store the decrypted versions of the one or more files determined encrypted by the ransomware.
  • the encrypted version of the backup image may be stored and used to save data in future incremental backups; and the decrypted version can be used for future restore.
  • the device is a virtual machine (VM) of a host.
  • a VM may be created, the back images may be attached to the VM as a volume.
  • the decryption tool can be installed and run on the VM for decrypting.
  • the functions described may be implemented in hardware, software, firmware, or any combination thereof.
  • a second aspect of the disclosure provides a system for ransomware decryption, comprising a device according to the first aspect and its respective implementation forms, a production device which is accessible by a user and comprising user data, and a backup device comprising backup images of the user data.
  • the whole system comprises three kinds of apparatuses, which may be implemented as follows: the production device which performs normal operation (named as production system in implementation); the backup device which is used to back up the data in the production device (also named as backup system in implementation); and a computing device (node) according to the first aspect and its respective implementation forms, that can be accessed by the administrator of the whole system, and is used to decrypt the encrypted files which suffered from the ransomware.
  • the production device which performs normal operation
  • the backup device which is used to back up the data in the production device
  • a computing device node
  • an implementation form of the system comprises the feature(s) of the corresponding implementation form of the device.
  • a third aspect of the disclosure provides a method for ransomware decryption, the method comprises: obtaining a first backup image at a first time point, Tl, and a second backup image at a second time point, T2, wherein T2 is later than Tl; detecting, whether one or more files are encrypted by a ransomware between the time point T1 and the time point T2; and decrypting the files determined encrypted by the ransomware, using the first backup image and the second backup image.
  • an implementation form of the method comprises the feature(s) of the corresponding implementation form of the device.
  • the method of the third aspect and its implementation forms provide the same advantages and effects as described above for the device of the first aspect and its respective implementation forms.
  • a fourth aspect of the disclosure provides a computer program product comprising a program code for carrying out, when implemented on a processor, the method according to the third aspect and its implementation forms.
  • a fifth aspect of the disclosure provides a computer readable storage medium comprising computer program code instructions, being executable by a computer, for performing a method according to the third aspect and its implementation forms when the computer program code instructions runs on a computer.
  • the computer readable storage medium comprises of one or more from the group: ROM (Read-Only Memory), PROM (Programmable ROM), EPROM (Erasable PROM), Flash memory, EEPROM (Electrically EPROM) and hard disk drive.
  • a sixth aspect of the disclosure provides a device for ransomware decryption includes a processor and a memory.
  • the memory is storing instructions that cause the processor to perform the method according to the third aspect and and its implementation forms.
  • the computer program product according to the fourth aspect, the computer readable storage medium according to the fifth aspect, and the device for ransomware decryption according to the sixth aspect can be extended into implementation forms corresponding to the implementation forms of the device according to the first aspect.
  • an implementation form of the computer program product, the computer readable storage medium, and the device for ransomware decryption respectively comprises the feature(s) of the corresponding implementation form of the device of the first aspect.
  • the computer program product according to the fourth aspect, the computer readable storage medium according to the fifth aspect, and the device for ransomware decryption according to the sixth aspect and their implementation forms provide the same advantages and effects as described above for the device of the first aspect and its respective implementation forms.
  • FIG. 1 shows a device for ransomware decryption according to an embodiment of the present disclosure.
  • FIG. 2 shows a system comprising the device according to an embodiment of the present disclosure.
  • FIG. 3 shows a decryption flow according to an embodiment of the present disclosure.
  • FIG. 4 shows a method according to an embodiment of the present disclosure.
  • an embodiment/example may refer to other embodiments/examples.
  • any description including but not limited to terminology, element, process, explanation and/or technical advantage mentioned in one embodiment/example is applicative to the other embodiments/examples.
  • FIG. 1 shows a device 100 according to an embodiment of the disclosure.
  • the device 100 may comprise processing circuitry (not shown) configured to perform, conduct or initiate the various operations of the device 100 described herein.
  • the processing circuitry may comprise hardware and software.
  • the hardware may comprise analog circuitry or digital circuitry, or both analog and digital circuitry.
  • the digital circuitry may comprise components such as application-specific integrated circuits (ASICs), field-programmable arrays (FPGAs), digital signal processors (DSPs), or multi-purpose processors.
  • the processing circuitry comprises one or more processors and a non- transitory memory connected to the one or more processors.
  • the non-transitory memory may carry executable program code which, when executed by the one or more processors, causes the device 100 to perform, conduct or initiate the operations or methods described herein.
  • the device 100 is adapted for ransomware decryption.
  • the device 100 is configured to obtain a first backup image 101 of user data at a first time point, Tl, and a second backup image 102 of the user data at a second time point, T2, wherein T2 is later than Tl.
  • the device 100 is further configured to detect, whether one or more files of the user data were encrypted by a ransomware between the time point Tl and the time point T2. Accordingly, the device 100 is configured to decrypt one or more files determined encrypted by the ransomware, using the first backup image 101 and the second backup image 102.
  • the embodiments of this disclosure are based on the proposal to rely on the properties of a backup system to provide automatic offline decryption of ransomware.
  • a production system or production device
  • the backup system is used to back up the data in the production system.
  • Such decryption process defined by the embodiments of the present disclosure may be considered as an automatic offline decryption process.
  • offline means that the decryption process is not a part of the backup flow.
  • the device 100 begins the decryption process after the backup is complete, in which a production environment is no longer concerned.
  • a backup is performed on a user system (production system) at time Tl, resulting in the first backup image 101.
  • the user further writes additional data to some of the files in his system.
  • a ransomware attack occurs, and encrypts some of the files in the user system.
  • a further backup is performed on the user system at time T2, thus resulting in the second backup image 102.
  • the second backup image 102 may comprise one or more files being encrypted by the ransomware.
  • the device 100 may be configured to analyze the first backup image 101 and the second backup image 102. Then the device 100 is further configured to determine that a file was encrypted by the ransomware between the time point Tl and the time point T2, if the file is not encrypted in the first backup image but is encrypted in the second backup image.
  • the device 100 automatically performs a check to detect ransomware.
  • the ransomware may be detected via extensions of files.
  • a normal Word file has an extension of .doc or .docx.
  • Some ransomware, after encrypting a file, will change its extension to something else, e.g., .doc. crypt or .docx. crypt to indicate the user that this file has been encrypted.
  • the device 100 may notify the user that the user system is attacked by a ransomware. Namely, the device 100 may alert the user and thus prevent the user from further writing new data to the system.
  • the device 100 may be configured to identify the ransomware.
  • the device 100 may be further configured to obtain and install a first decryption tool that is relevant to the ransomware.
  • the device 100 may be configured to decrypt the one or more files determined encrypted by the ransomware using the installed first decryption tool.
  • the ransomware is identified by using an existing tool for identifying ransomware, e.g., obtained from a cyber-security company, which is not specifically limited by this embodiment.
  • the ransomware may also be identified by using a dedicated ransomware identification tool that is integrated into the device 100. After the ransomware is identified, a corresponding decryption tool will be selected for that ransomware. Possibly, a relevant decryption tool may be selected through querying or consulting a database that contains a mapping of various ransomwares to their relevant decryption tools.
  • the device 100 may completely rely on external existing ransomware databases, i.e., access such databases provided by cyber-security companies to obtain the relevant decryption tool.
  • This embodiment does not limit the type of database that used by the device 100 to obtain the relevant decryption tool.
  • the device 100 may maintain its own database. Notably, this database may be continually updated by the device 100.
  • the device 100 may be configured to maintain a database mapping a plurality of ransomwares to a plurality of decryption tools, wherein each decryption tool being relevant to a ransomware.
  • the device 100 may be configured to select a first file from the one or more files determined encrypted by the ransomware.
  • the device 100 is further configured to obtain a non-encrypted version and an encrypted version of the first file from the first backup image 101 and the second backup image 102, respectively.
  • the device 100 may be configured to generate one or more encrypting keys based on the non-encrypted version and the encrypted version of the first file.
  • the decryption tool may require one or more files in order to perform the decryption, the one or more files may be automatically selected.
  • the decryption tool may require a pair of files, i.e., before and after the encryption.
  • the pair of files may be used to deduce the encryption key from them, and then the encryption key can be used to decrypt other files. In some other cases, perhaps only an encrypted file is required. It should be noted that, according to embodiments of the present disclosure, the procedure of selecting the files (for the decryption) is automatically proceed in the device 100. There is no need for the user to manually select a file or a pair of files.
  • the device 100 may be configured to decrypt the one or more files determined encrypted by the ransomware based on the one or more generated encrypting keys.
  • a conventional decryption procedure using encrypting keys may be used herein.
  • the device 100 may be configured to select, as the first file, a file according to a determined selection criterion among the one or more files determined encrypted by the ransomware.
  • the determined selection criterion may refer to as selecting a file optimal for usage of the installed decryption tool. For instance, for some of the decryption tools, the larger the file, the more of the other encrypted files can be decrypted. In such case, a largest file among the files determined encrypted may be selected as the first file.
  • the device 100 maybe configured to: validate a correctness of a decryption of the one or more files determined encrypted by the ransomware, using the first backup image and the second backup image.
  • one decryption tool may not be able to decrypt all encrypted files, or the encrypted files may be not corrected decrypted by that decryption tool.
  • the device 100 may perform an automatic validation process, to check a correctness of the decryption process.
  • the device 100 may be configured to validate the correctness of a decryption of the one or more files determined encrypted by the ransomware, by comparing non- encrypted version of the one or more files in the first backup image to respective decrypted version of the one or more files obtained after decrypting the files determined encrypted.
  • the correctness of the decryption may be validated by using information gained from previous generations of a file (for example, if it is known that this file doesn’t change often). In case that many changes after decrypting the file in the second backup image 102 vs its previous version in the first backup image 101 are found, it may assume with high probability that this decryption tool didn’t decrypt it correctly.
  • the correctness of the decryption may also be validated by attempting to use the relevant files in the context of some applications (for example, attempting to access an Oracle DB stored in an Oracle file which was encrypted). In such case, another decryption tool may be needed.
  • the device 100 may be further configured to obtain and install a second decryption tool that is relevant to the ransomware. Accordingly, the device 100 may be further configured to decrypt the files determined encrypted by the ransomware with the installed second decryption tool.
  • decryption tools there may be more than one decryption tools that can be relevant to one specific ransomware.
  • another decryption tool may be automatically installed and may run on the device 100, to ensure maximal number of successfully decrypted files.
  • a decryption process using the second decryption tool may be similar with the decryption process using the first decryption tool. Accordingly, a correctness of the additional decryption may be validated by the device 100.
  • the device 100 may be further configured to obtain and install a third decryption tool that is relevant to the ransomware, and perform the decryption accordingly.
  • the device 100 may be configured to store the second backup image 102 including the decrypted versions of the one or more files determined encrypted by the ransomware.
  • the device 100 may be configured to store the second backup image including the encrypted versions of the one or more files determined encrypted, and additionally store the decrypted versions of the one or more files determined encrypted by the ransomware.
  • the encrypted version of the backup image i.e., the second backup image 102 according an embodiment of this disclosure, may be further stored.
  • One purpose of the storage of the encrypted version of the backup image is to allow for future small incremental backups (until restore to a decrypted version is performed).
  • the device 100 may be a VM of a host.
  • One possible way to implement this disclosure, particularly to access the backup system, is to create a VM.
  • the back images from the backup system may be attached to the VM as a volume.
  • the decryption tool can be installed and run on the VM for decrypting.
  • the decryption method proposed by this disclosure is considered as a lineage-based ransomware decryption. That is, this method relies on previous generations in the backup system.
  • the device 100 may be configured to obtain a third backup image 103 of user data at a first time point, T3, wherein T3 is later than T2.
  • the device 100 may be further configured to detect, whether one or more files of the user data were encrypted by a ransomware between the time point T2 and the time point T3. Accordingly, the device 100 is configured to decrypt one or more files determined encrypted by the ransomware, using the first backup image 101 and/or the second backup image 102, and using the third backup image 103.
  • FIG. 2 shows a system 200 according to an embodiment of the disclosure.
  • the system 200 comprises a device 100.
  • the device 100 shown in FIG. 2 may be the device 100 shown in FIG. 1.
  • same elements in all figures are labeled with the same reference signs and function likewise.
  • the system 200 comprises three kinds of apparatuses, which may be as described below: a production device 201 : which can be directly accessed by the user, and comprising user data (also named as production system in implementations); a backup device 202: which is used to back up the data in the production device 201, and comprising backup images of the user data (also named as backup system in implementations); a computing device (node): which can be accessed by the administrator of the whole system, and is configured to perform a decryption operation on the encrypted files which suffered from the ransomware.
  • a production device 201 which can be directly accessed by the user, and comprising user data
  • a backup device 202 which is used to back up the data in the production device 201, and comprising backup images of the user data (also named as backup system in implementations)
  • a computing device (node) which can be accessed by the administrator of the whole system, and is configured to perform a decryption operation on the encrypted files which suffered from the ransomware.
  • the computing device is the device 100 as shown in FIG. 1 or FIG. 2.
  • One or more production devices 201 locate in a production environment.
  • the backup device 202 may be a backup server.
  • FIG. 3 shows a decryption flow according to an embodiment of the present disclosure.
  • a first backup image 101 of user data existed in a production device 201 at time point T1 is created and stored in a backup device 202.
  • a user After the user data is backed up at Tl, a user performs further operations, e.g., writing new data into a storage of the production device 201.
  • a ransomware attacks the production device 201 and encrypts some of the files in the production device 201, before a further backup of the newly added data is created.
  • a second backup image 102 of user data existed in the production device 201 is further created and stored in the backup device 202.
  • one or more files in the second backup image 102 are encrypted by the ransomware.
  • a device 100 performs the ransomware decryption according to aforementioned embodiments of this disclosure.
  • the device 100 as shown in FIG. 3 is particularly the device 100 as shown in FIG. 1.
  • FIG. 4 shows a method 400 for ransomware decryption according to an embodiment of present disclosure.
  • the method 400 is performed by the device 100 as shown in FIG. 1.
  • the method 400 comprises a step 401 of obtaining a first backup image 101 at a first time point, Tl, and a second backup image 102 at a second time point, T2, wherein T2 is later than Tl.
  • the method further comprises a step 402 of detecting, whether one or more files are encrypted by a ransomware between the time point Tl and the time point T2, and a step 403 of decrypting the files determined encrypted by the ransomware, using the first backup image 101 and the second backup image 102.
  • the method 400 may further comprise actions as described in aforementioned embodiments of the device 100.
  • the present disclosure further provides a computer program product comprising a program code for carrying out, when implemented on a processor, the method 400 as shown in FIG. 4.
  • the computer program is included in a computer readable medium of a computer program product.
  • the computer readable medium may comprise essentially any memory, such as a ROM (Read-Only Memory), a PROM (Programmable Read-Only Memory), an EPROM (Erasable PROM), a Flash memory, an EEPROM (Electrically Erasable PROM), or a hard disk drive.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Bioethics (AREA)
  • Storage Device Security (AREA)
  • Retry When Errors Occur (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present disclosure relates to the technical field of data decryption, particularly provides an automatic lineage-based decryption method after a ransomware attack. In this disclosure, a device for ransomware decryption is disclosed, and the device is configured to obtain a first backup image of user data at a first time point, T1, and a second backup image of the user data at a second time point, T2, wherein T2 is later than T1. The device is further configured to detect whether one or more files of the user data were encrypted by a ransomware between the time point T1 and the time point T2. Further, the device is configured to decrypt one or more files determined encrypted by the ransomware, using the first backup image and the second backup image.

Description

DEVICE AND METHOD FOR RANSOMWARE DECRYPTION
TECHNICAL FIELD
The present disclosure relates to a data decryption method, in particular, to an automatic decryption method after a ransomware attack. The disclosure provides, to this end, a device for ransomware decryption and a corresponding method, and a system for ransomware decryption comprising the device.
BACKGROUND
Ransom malware, or ransomware, is a type of malware that prevents users from accessing their data (usually by encrypting the data), and then demands a ransom payment from the users, in order to regain access (decrypt the encrypted data).
In recent years, ransomware has become more prevalent. There are many different variations of ransomware. Various cyber security companies (e.g., Kaspersky, Avast, Emsisoft) are continuously releasing decryption tools (also named as decryptors, e.g., Rannoh Decryptor from Kaspersky) to help users to decrypt their data which was infected by ever-more modem and advanced variations of ransomware.
The use of all ransomware decryptors requires the users to manually operate the decryptors, including to identify the ransomware, to choose a decryptor, and to install and ran it. Furthermore, for more advanced variations of ransomware, the decryptors may impose limitations, such as that it is required to provide a pair of files, in particular one non- encrypted file and one encrypted version of the same file. Additional limitations might be that the size of the file provided to the decryptor has to be maximized, since some decryptors can only decrypt files less than or equal the size of the provided file, in a given pair of files. In addition, it is typically up to the users to identify the optimal decryptor and the optimal pair of files, which will result in the maximal number of files decrypted, particularly since not all decryptors can achieve a decryption of 100% of the encrypted files. When ransomware infects a system, which is protected by a backup application, the application may continue to backup user data including data encrypted by the ransomware, thereby resulting in unusable backups of the system and a loss of data.
The existing solutions either require the users to use an existing database to identify a ransomware, and to locate appropriate decryption tools for it, and then to manually install and run the ransomware, and to manually verify a correctness of the decryption.
As aforementioned, since different decryption tools have different requirements to run, manually satisfying these requirements might not be simple and may result in failure to correctly decrypt as many files as possible.
Some data protection systems monitor the protected environments and alert the user when they suspect that the environment is under attack by a ransomware. However, such systems do not provide a solution for the case where the ransomware has already managed to encrypt a part of the environment prior to the detection. Other data protection systems may recover older versions of encrypted files. However, for such systems, any new data which has been created after the latest pre-ransomware backup will be loss.
SUMMARY
In view of the above-mentioned limitations and problems, the embodiments of the present disclosure aim to provide an improved ransomware decryption method. An objective is to provide an automatic process of ransomware decryption, which neither requires a user to manually select and install a decryption tool, nor to select an input for the decryption tool. One aim is to perform the decryption based on a lineage created by a backup system.
The object is achieved by the embodiments provided in the enclosed independent claims. Advantageous implementations of the embodiments of the present disclosure are further defined in the dependent claims.
A first aspect of the disclosure provides a device for ransomware decryption, wherein the device is configured to: obtain a first backup image of user data at a first time point, Tl, and a second backup image of the user data at a second time point, T2, wherein T2 is later than Tl; detect, whether one or more files of the user data were encrypted by a ransomware between the time point T1 and the time point T2; and decrypt one or more files determined encrypted by the ransomware, using the first backup image and the second backup image.
It is thus proposed to rely on the properties of a backup system, in order to provide automatic decryption of ransomware. In particular, a lineage-based decryption method is provided, which relies on an existence of history for some of encrypted files. The device of the first aspect does not require a user to manually select and install a decryption tool, nor does it require the user to select an input for the decryption tool. Thus, an improved ransomware decryption device is provided.
In an implementation form of the first aspect, the device is configured to: analyze the first backup image and the second backup image; and determine that a file was encrypted by the ransomware between the time point T1 and the time point T2, if the file is not encrypted in the first backup image but is encrypted in the second backup image.
In particular, a check may be, e.g., automatically, performed to detect ransomware. For instance, ransomware can be detected via extensions of files, location of some “ransom instruction” files, which the ransomware creates, or based on changes since the previous backup was performed.
In an implementation form of the first aspect, the device is configured to: identify the ransomware; obtain and install a first decryption tool that is relevant to the ransomware; and decrypt the one or more files determined encrypted by the ransomware using the installed first decryption tool.
The ransomware may be identified via either use of an existing tool, or development of a dedicated tool for ransomware identification. Accordingly, a corresponding decryption tool will be, e.g. automatically, selected for that ransomware, which provides better decryption efficiency.
In an implementation form of the first aspect, the device is configured to: maintain a database mapping a plurality of ransomwares to a plurality of decryption tools, wherein each decryption tool being relevant to a ransomware. Optionally, a database, which contains a mapping of various ransomwares to relevant decryption tools, can be consulted for selecting the decryption tool. This database may be maintained and/or continually updated by the device. Alternatively, an external (existing) ransomware database, e.g., from some cyber security companies, can also be used.
In an implementation form of the first aspect, the device is configured to: select a first file from the one or more files determined encrypted by the ransomware; obtain a non- encrypted version and an encrypted version of the first file from the first backup image and the second backup image, respectively; and generate one or more encrypting keys based on the non-encrypted version and the encrypted version of the first file.
Optionally, if the decryption tool requires one or more files, in order to perform the decryption, the one or more files may be automatically selected. For example, the decryption tool may require a pair of files, i.e., before and after the encryption. In some other cases, perhaps only an encrypted file is required.
In an implementation form of the first aspect, the device is configured to: decrypt the one or more files determined encrypted by the ransomware based on the one or more generated encrypting keys.
In an implementation form of the first aspect, the device is configured to: select, as the first file, a file according to a determined selection criterion among the one or more files determined encrypted by the ransomware.
It should be appreciated that the determined selection criterion may refer to as selecting a file optimal for usage of the installed decryption tool. For instance, for some of the decryption tools, the larger the file, the more of the other encrypted files can be decrypted. In such case, a largest file among the files determined encrypted may be selected as the first file.
In an implementation form of the first aspect, the device is configured to: validate a correctness of a decryption of the one or more files determined encrypted by the ransomware, using the first backup image and the second backup image. Notably, one decryption tool may in some cases not perfectly decrypt all encrypted files, or the encrypted files may be not be decrypted absolutely correct by that decryption tool. Optionally, the device may thus perform an automatic validation process, to check a correctness of the decryption process.
In an implementation form of the first aspect, the device is configured to: validate the correctness of a decryption of the one or more files determined encrypted by the ransomware, by comparing non-encrypted version of the one or more files in the first backup image to respective decrypted version of the one or more files obtained after decrypting the files determined encrypted.
Optionally, an original file, i.e., non-encrypted version of that file, may be used to compare with a decryption version of that file, i.e., the file obtained after the decrypting.
In an implementation form of the first aspect, if a validation result indicates that an additional decryption is needed, the device is configured to: obtain and install a second decryption tool that is relevant to the ransomware; and decrypt the files determined encrypted by the ransomware with the installed second decryption tool.
Apparently, there may be more than one decryption tool that can be relevant to one specific ransomware. Optionally, another decryption tool may thus be automatically installed, and may run on the device, to ensure maximal number of successfully decrypted files.
In an implementation form of the first aspect, after decrypting the file determined encrypted by the ransomware, the device is configured to: store the second backup image including the decrypted versions of the one or more files determined encrypted by the ransomware; or store the second backup image including the encrypted versions of the one or more files determined encrypted, and additionally store the decrypted versions of the one or more files determined encrypted by the ransomware.
Optionally, after the affected files are decrypted, the encrypted version of the backup image may be stored and used to save data in future incremental backups; and the decrypted version can be used for future restore. In an implementation form of the first aspect, the device is a virtual machine (VM) of a host.
For instance, a VM may be created, the back images may be attached to the VM as a volume. The decryption tool can be installed and run on the VM for decrypting.
In the first aspect and its implementations, the functions described may be implemented in hardware, software, firmware, or any combination thereof.
A second aspect of the disclosure provides a system for ransomware decryption, comprising a device according to the first aspect and its respective implementation forms, a production device which is accessible by a user and comprising user data, and a backup device comprising backup images of the user data.
Generally, the whole system comprises three kinds of apparatuses, which may be implemented as follows: the production device which performs normal operation (named as production system in implementation); the backup device which is used to back up the data in the production device (also named as backup system in implementation); and a computing device (node) according to the first aspect and its respective implementation forms, that can be accessed by the administrator of the whole system, and is used to decrypt the encrypted files which suffered from the ransomware.
The system according to the second aspect can be extended into implementation forms corresponding to the implementation forms of the device according to the first aspect. Hence, an implementation form of the system comprises the feature(s) of the corresponding implementation form of the device.
The system of the second aspect and its implementation forms provide the same advantages and effects as described above for the device of the first aspect and its respective implementation forms.
A third aspect of the disclosure provides a method for ransomware decryption, the method comprises: obtaining a first backup image at a first time point, Tl, and a second backup image at a second time point, T2, wherein T2 is later than Tl; detecting, whether one or more files are encrypted by a ransomware between the time point T1 and the time point T2; and decrypting the files determined encrypted by the ransomware, using the first backup image and the second backup image.
The method according to the third aspect can be extended into implementation forms corresponding to the implementation forms of the device according to the first aspect. Hence, an implementation form of the method comprises the feature(s) of the corresponding implementation form of the device.
The method of the third aspect and its implementation forms provide the same advantages and effects as described above for the device of the first aspect and its respective implementation forms.
A fourth aspect of the disclosure provides a computer program product comprising a program code for carrying out, when implemented on a processor, the method according to the third aspect and its implementation forms.
A fifth aspect of the disclosure provides a computer readable storage medium comprising computer program code instructions, being executable by a computer, for performing a method according to the third aspect and its implementation forms when the computer program code instructions runs on a computer. The computer readable storage medium, comprises of one or more from the group: ROM (Read-Only Memory), PROM (Programmable ROM), EPROM (Erasable PROM), Flash memory, EEPROM (Electrically EPROM) and hard disk drive.
A sixth aspect of the disclosure provides a device for ransomware decryption includes a processor and a memory. The memory is storing instructions that cause the processor to perform the method according to the third aspect and and its implementation forms.
The computer program product according to the fourth aspect, the computer readable storage medium according to the fifth aspect, and the device for ransomware decryption according to the sixth aspect can be extended into implementation forms corresponding to the implementation forms of the device according to the first aspect. Hence, an implementation form of the computer program product, the computer readable storage medium, and the device for ransomware decryption respectively comprises the feature(s) of the corresponding implementation form of the device of the first aspect.
The computer program product according to the fourth aspect, the computer readable storage medium according to the fifth aspect, and the device for ransomware decryption according to the sixth aspect and their implementation forms provide the same advantages and effects as described above for the device of the first aspect and its respective implementation forms.
It has to be noted that all devices, elements, units and means described in the present application could be implemented in the software or hardware elements or any kind of combination thereof. All steps which are performed by the various entities described in the present application as well as the functionalities described to be performed by the various entities are intended to mean that the respective entity is adapted to or configured to perform the respective steps and functionalities. Even if, in the following description of specific embodiments, a specific functionality or step to be performed by external entities is not reflected in the description of a specific detailed element of that entity which performs that specific step or functionality, it should be clear for a skilled person that these methods and functionalities can be implemented in respective software or hardware elements, or any kind of combination thereof.
BRIEF DESCRIPTION OF DRAWINGS
The above described aspects and implementation forms of the present disclosure will be explained in the following description of specific embodiments in relation to the enclosed drawings, in which
FIG. 1 shows a device for ransomware decryption according to an embodiment of the present disclosure.
FIG. 2 shows a system comprising the device according to an embodiment of the present disclosure.
FIG. 3 shows a decryption flow according to an embodiment of the present disclosure. FIG. 4 shows a method according to an embodiment of the present disclosure.
DETAILED DESCRIPTION OF EMBODIMENTS
Illustrative embodiments of method, device, and program product for ransomware decryption are described with reference to the figures. Although this description provides a detailed example of possible implementations, it should be noted that the details are intended to be exemplary and in no way limit the scope of the application.
Moreover, an embodiment/example may refer to other embodiments/examples. For example, any description including but not limited to terminology, element, process, explanation and/or technical advantage mentioned in one embodiment/example is applicative to the other embodiments/examples.
FIG. 1 shows a device 100 according to an embodiment of the disclosure. The device 100 may comprise processing circuitry (not shown) configured to perform, conduct or initiate the various operations of the device 100 described herein. The processing circuitry may comprise hardware and software. The hardware may comprise analog circuitry or digital circuitry, or both analog and digital circuitry. The digital circuitry may comprise components such as application-specific integrated circuits (ASICs), field-programmable arrays (FPGAs), digital signal processors (DSPs), or multi-purpose processors. In one embodiment, the processing circuitry comprises one or more processors and a non- transitory memory connected to the one or more processors. The non-transitory memory may carry executable program code which, when executed by the one or more processors, causes the device 100 to perform, conduct or initiate the operations or methods described herein.
The device 100 is adapted for ransomware decryption. In particular, the device 100 is configured to obtain a first backup image 101 of user data at a first time point, Tl, and a second backup image 102 of the user data at a second time point, T2, wherein T2 is later than Tl. The device 100 is further configured to detect, whether one or more files of the user data were encrypted by a ransomware between the time point Tl and the time point T2. Accordingly, the device 100 is configured to decrypt one or more files determined encrypted by the ransomware, using the first backup image 101 and the second backup image 102. The embodiments of this disclosure are based on the proposal to rely on the properties of a backup system to provide automatic offline decryption of ransomware. Generally speaking, a production system, or production device, is directly accessed by users, and is used to perform normal operations, while the backup system is used to back up the data in the production system. Such decryption process defined by the embodiments of the present disclosure may be considered as an automatic offline decryption process. Particularly, “offline” means that the decryption process is not a part of the backup flow. In other words, the device 100 begins the decryption process after the backup is complete, in which a production environment is no longer concerned.
According to embodiments of this disclosure, a backup is performed on a user system (production system) at time Tl, resulting in the first backup image 101. Possibly, the user further writes additional data to some of the files in his system. Then, a ransomware attack occurs, and encrypts some of the files in the user system. After the ransomware infection, a further backup is performed on the user system at time T2, thus resulting in the second backup image 102. Notably, the second backup image 102 may comprise one or more files being encrypted by the ransomware.
Optionally, the device 100, according to an embodiment of the disclosure, may be configured to analyze the first backup image 101 and the second backup image 102. Then the device 100 is further configured to determine that a file was encrypted by the ransomware between the time point Tl and the time point T2, if the file is not encrypted in the first backup image but is encrypted in the second backup image.
Notably, the device 100 automatically performs a check to detect ransomware. In some scenarios, the ransomware may be detected via extensions of files. For example, a normal Word file has an extension of .doc or .docx. Some ransomware, after encrypting a file, will change its extension to something else, e.g., .doc. crypt or .docx. crypt to indicate the user that this file has been encrypted.
Possibly, the device 100 may notify the user that the user system is attacked by a ransomware. Namely, the device 100 may alert the user and thus prevent the user from further writing new data to the system. In particular, the device 100, according to an embodiment of the disclosure, may be configured to identify the ransomware. The device 100 may be further configured to obtain and install a first decryption tool that is relevant to the ransomware. And the device 100 may be configured to decrypt the one or more files determined encrypted by the ransomware using the installed first decryption tool.
In one example, the ransomware is identified by using an existing tool for identifying ransomware, e.g., obtained from a cyber-security company, which is not specifically limited by this embodiment. Alternatively, the ransomware may also be identified by using a dedicated ransomware identification tool that is integrated into the device 100. After the ransomware is identified, a corresponding decryption tool will be selected for that ransomware. Possibly, a relevant decryption tool may be selected through querying or consulting a database that contains a mapping of various ransomwares to their relevant decryption tools.
Optionally, the device 100 may completely rely on external existing ransomware databases, i.e., access such databases provided by cyber-security companies to obtain the relevant decryption tool. This embodiment does not limit the type of database that used by the device 100 to obtain the relevant decryption tool. Alternatively, the device 100 may maintain its own database. Notably, this database may be continually updated by the device 100.
Accordingly, the device 100 may be configured to maintain a database mapping a plurality of ransomwares to a plurality of decryption tools, wherein each decryption tool being relevant to a ransomware.
In particular, the device 100 may be configured to select a first file from the one or more files determined encrypted by the ransomware. The device 100 is further configured to obtain a non-encrypted version and an encrypted version of the first file from the first backup image 101 and the second backup image 102, respectively. Further, the device 100 may be configured to generate one or more encrypting keys based on the non-encrypted version and the encrypted version of the first file. Optionally, if the decryption tool requires one or more files in order to perform the decryption, the one or more files may be automatically selected. For example, the decryption tool may require a pair of files, i.e., before and after the encryption. The pair of files may be used to deduce the encryption key from them, and then the encryption key can be used to decrypt other files. In some other cases, perhaps only an encrypted file is required. It should be noted that, according to embodiments of the present disclosure, the procedure of selecting the files (for the decryption) is automatically proceed in the device 100. There is no need for the user to manually select a file or a pair of files.
Accordingly, the device 100 may be configured to decrypt the one or more files determined encrypted by the ransomware based on the one or more generated encrypting keys. A conventional decryption procedure using encrypting keys may be used herein.
In particular, the device 100, according to an embodiment of this disclosure, may be configured to select, as the first file, a file according to a determined selection criterion among the one or more files determined encrypted by the ransomware.
It should be appreciated that the determined selection criterion may refer to as selecting a file optimal for usage of the installed decryption tool. For instance, for some of the decryption tools, the larger the file, the more of the other encrypted files can be decrypted. In such case, a largest file among the files determined encrypted may be selected as the first file.
Optionally, the device 100 maybe configured to: validate a correctness of a decryption of the one or more files determined encrypted by the ransomware, using the first backup image and the second backup image.
Notably, one decryption tool may not be able to decrypt all encrypted files, or the encrypted files may be not corrected decrypted by that decryption tool. Optionally, the device 100 may perform an automatic validation process, to check a correctness of the decryption process.
Optionally, the device 100 may be configured to validate the correctness of a decryption of the one or more files determined encrypted by the ransomware, by comparing non- encrypted version of the one or more files in the first backup image to respective decrypted version of the one or more files obtained after decrypting the files determined encrypted.
After the decryption tool has finished executing, the correctness of the decryption may be validated by using information gained from previous generations of a file (for example, if it is known that this file doesn’t change often). In case that many changes after decrypting the file in the second backup image 102 vs its previous version in the first backup image 101 are found, it may assume with high probability that this decryption tool didn’t decrypt it correctly. Optionally, the correctness of the decryption may also be validated by attempting to use the relevant files in the context of some applications (for example, attempting to access an Oracle DB stored in an Oracle file which was encrypted). In such case, another decryption tool may be needed.
In particular, if a validation result indicates that an additional decryption is needed, the device 100 may be further configured to obtain and install a second decryption tool that is relevant to the ransomware. Accordingly, the device 100 may be further configured to decrypt the files determined encrypted by the ransomware with the installed second decryption tool.
Apparently, there may be more than one decryption tools that can be relevant to one specific ransomware. Optionally, another decryption tool may be automatically installed and may run on the device 100, to ensure maximal number of successfully decrypted files. A decryption process using the second decryption tool may be similar with the decryption process using the first decryption tool. Accordingly, a correctness of the additional decryption may be validated by the device 100.
Possibly, if a validation result still indicates that a further decryption is needed, the device 100 may be further configured to obtain and install a third decryption tool that is relevant to the ransomware, and perform the decryption accordingly.
According to an embodiment of this disclosure, after decrypting the file determined encrypted by the ransomware, the device 100 may be configured to store the second backup image 102 including the decrypted versions of the one or more files determined encrypted by the ransomware. Alternatively, the device 100 may be configured to store the second backup image including the encrypted versions of the one or more files determined encrypted, and additionally store the decrypted versions of the one or more files determined encrypted by the ransomware.
Possibly, after the affected files are decrypted, the encrypted version of the backup image, i.e., the second backup image 102 according an embodiment of this disclosure, may be further stored. One purpose of the storage of the encrypted version of the backup image is to allow for future small incremental backups (until restore to a decrypted version is performed).
In a specific embodiment, the device 100 may be a VM of a host.
One possible way to implement this disclosure, particularly to access the backup system, is to create a VM. The back images from the backup system may be attached to the VM as a volume. The decryption tool can be installed and run on the VM for decrypting.
It should be appreciated that, the decryption method proposed by this disclosure is considered as a lineage-based ransomware decryption. That is, this method relies on previous generations in the backup system.
In a specific embodiment, the device 100 may be configured to obtain a third backup image 103 of user data at a first time point, T3, wherein T3 is later than T2. The device 100 may be further configured to detect, whether one or more files of the user data were encrypted by a ransomware between the time point T2 and the time point T3. Accordingly, the device 100 is configured to decrypt one or more files determined encrypted by the ransomware, using the first backup image 101 and/or the second backup image 102, and using the third backup image 103.
That is, if a ransomware attacks between T2 and T3, affected files (that are encrypted by the ransomware) can be decrypted using more than one previous backup images (e.g., the first backup image 101 and the second backup image 102).
FIG. 2 shows a system 200 according to an embodiment of the disclosure. The system 200 comprises a device 100. In particular, the device 100 shown in FIG. 2 may be the device 100 shown in FIG. 1. Notably, same elements in all figures are labeled with the same reference signs and function likewise.
Generally, the system 200 comprises three kinds of apparatuses, which may be as described below: a production device 201 : which can be directly accessed by the user, and comprising user data (also named as production system in implementations); a backup device 202: which is used to back up the data in the production device 201, and comprising backup images of the user data (also named as backup system in implementations); a computing device (node): which can be accessed by the administrator of the whole system, and is configured to perform a decryption operation on the encrypted files which suffered from the ransomware.
Notably, the computing device is the device 100 as shown in FIG. 1 or FIG. 2. One or more production devices 201 locate in a production environment. The backup device 202 may be a backup server.
FIG. 3 shows a decryption flow according to an embodiment of the present disclosure. In this embodiment, a first backup image 101 of user data existed in a production device 201 at time point T1 is created and stored in a backup device 202. After the user data is backed up at Tl, a user performs further operations, e.g., writing new data into a storage of the production device 201. A ransomware attacks the production device 201 and encrypts some of the files in the production device 201, before a further backup of the newly added data is created. In a following time point T2, a second backup image 102 of user data existed in the production device 201 is further created and stored in the backup device 202. As can be understood, one or more files in the second backup image 102 are encrypted by the ransomware. A device 100 performs the ransomware decryption according to aforementioned embodiments of this disclosure. The device 100 as shown in FIG. 3 is particularly the device 100 as shown in FIG. 1.
FIG. 4 shows a method 400 for ransomware decryption according to an embodiment of present disclosure. In particular, the method 400 is performed by the device 100 as shown in FIG. 1. The method 400 comprises a step 401 of obtaining a first backup image 101 at a first time point, Tl, and a second backup image 102 at a second time point, T2, wherein T2 is later than Tl. The method further comprises a step 402 of detecting, whether one or more files are encrypted by a ransomware between the time point Tl and the time point T2, and a step 403 of decrypting the files determined encrypted by the ransomware, using the first backup image 101 and the second backup image 102.
Notably, the method 400 may further comprise actions as described in aforementioned embodiments of the device 100.
The present disclosure further provides a computer program product comprising a program code for carrying out, when implemented on a processor, the method 400 as shown in FIG. 4. The computer program is included in a computer readable medium of a computer program product. The computer readable medium may comprise essentially any memory, such as a ROM (Read-Only Memory), a PROM (Programmable Read-Only Memory), an EPROM (Erasable PROM), a Flash memory, an EEPROM (Electrically Erasable PROM), or a hard disk drive.
The present disclosure has been described in conjunction with various embodiments as examples as well as implementations. However, other variations can be understood and effected by those persons skilled in the art and practicing the claimed disclosure, from the studies of the drawings, this disclosure and the independent claims. In the claims as well as in the description the word “comprising” does not exclude other elements or steps and the indefinite article “a” or “an” does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. The mere fact that certain measures are recited in the mutual different dependent claims does not indicate that a combination of these measures cannot be used in an advantageous implementation.

Claims

1. A device (100) for ransomware decryption, being configured to: obtain a first backup image (101) of user data at a first time point, Tl, and a second backup image (102) of the user data at a second time point, T2, wherein T2 is later than Tl; detect, whether one or more files of the user data were encrypted by a ransomware between the time point Tl and the time point T2; and decrypt one or more files determined encrypted by the ransomware, using the first backup image (101) and the second backup image (102).
2. The device (100) according to claim 1, configured to: analyze the first backup image (101) and the second backup image (102); and determine that a file was encrypted by the ransomware between the time point Tl and the time point T2, if the file is not encrypted in the first backup image (101) but is encrypted in the second backup image (102).
3. The device (100) according to claim 1 or 2, configured to: identify the ransomware; obtain and install a first decryption tool that is relevant to the ransomware; and decrypt the one or more files determined encrypted by the ransomware using the installed first decryption tool.
4. The device (100) according to claim 3, configured to: maintain a database mapping a plurality of ransomwares to a plurality of decryption tools, wherein each decryption tool being relevant to a ransomware.
5. The device (100) according to one of the claim 1 to 4, configured to: select a first file from the one or more files determined encrypted by the ransomware; obtain a non-encrypted version and an encrypted version of the first file from the first backup image (101) and the second backup image (102), respectively; and generate one or more encrypting keys based on the non-encrypted version and the encrypted version of the first file.
6. The device (100) according to claim 5, configured to: decrypt the one or more files determined encrypted by the ransomware based on the one or more generated encrypting keys.
7. The device (100) according to claim 5 or 6, configured to: select, as the first file, a file according to a determined selection criterion among the one or more files determined encrypted by the ransomware.
8. The device (100) according to one of the claims 1 to 7, configured to: validate a correctness of a decryption of the one or more files determined encrypted by the ransomware, using the first backup image (101) and the second backup image (102).
9. The device (100) according to one of claims 5 to 8, configured to: validate the correctness of a decryption of the one or more files determined encrypted by the ransomware, by comparing non-encrypted version of the one or more files in the first backup image (101) to respective decrypted version of the one or more files obtained after decrypting the files determined encrypted.
10. The device (100) according to claim 8 or 9, configured to: if a validation result indicates that an additional decryption is needed, obtain and install a second decryption tool that is relevant to the ransomware; and decrypt the files determined encrypted by the ransomware with the installed second decryption tool.
11. The device (100) according to one of the claims 1 to 10, configured to, after decrypting the file determined encrypted by the ransomware: store the second backup image (102) including the decrypted versions of the one or more files determined encrypted by the ransomware; or store the second backup image (102) including the encrypted versions of the one or more files determined encrypted, and additionally store the decrypted versions of the one or more files determined encrypted by the ransomware.
12. The device (100) according to one of claim 1 to 11, wherein the device (100) is a virtual machine, VM, of a host.
13. A system (200) for ransomware decryption, comprising a device (100) according to any one of the claims 1 to 12, a production device (201) which is accessible by the user and comprising user data, and a backup device (202) comprising backup images of the user data.
14. A method (400) for ransomware decryption, the method comprising: obtaining (401) a first backup image (101) at a first time point, Tl, and a second backup image (102) at a second time point, T2, wherein T2 is later than Tl; detecting (402), whether one or more files are encrypted by a ransomware between the time point Tl and the time point T2; and decrypting (403) the files determined encrypted by the ransomware, using the first backup image (101) and the second backup image ( 102) .
15. A computer program product comprising a program code for carrying out, when implemented on a processor, the method according to claim 14.
PCT/EP2019/082185 2019-11-22 2019-11-22 Device and method for ransomware decryption WO2021098968A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/EP2019/082185 WO2021098968A1 (en) 2019-11-22 2019-11-22 Device and method for ransomware decryption
CN201980086619.XA CN113228016A (en) 2019-11-22 2019-11-22 Apparatus and method for luxo software decryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2019/082185 WO2021098968A1 (en) 2019-11-22 2019-11-22 Device and method for ransomware decryption

Publications (1)

Publication Number Publication Date
WO2021098968A1 true WO2021098968A1 (en) 2021-05-27

Family

ID=68654499

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2019/082185 WO2021098968A1 (en) 2019-11-22 2019-11-22 Device and method for ransomware decryption

Country Status (2)

Country Link
CN (1) CN113228016A (en)
WO (1) WO2021098968A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095236A (en) * 2021-11-17 2022-02-25 安天科技集团股份有限公司 Key searching method and device, computing equipment and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118427817A (en) * 2023-01-31 2024-08-02 华为技术有限公司 Method for detecting backup files and related equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180024893A1 (en) * 2016-07-25 2018-01-25 Cisco Technology, Inc. Intelligent backup system
US9990511B1 (en) * 2015-11-20 2018-06-05 Symantec Corporation Using encrypted backup to protect files from encryption attacks
US20190018961A1 (en) * 2017-07-12 2019-01-17 Acronis International Gmbh Method for decrypting data encrypted by ransomware

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9990511B1 (en) * 2015-11-20 2018-06-05 Symantec Corporation Using encrypted backup to protect files from encryption attacks
US20180024893A1 (en) * 2016-07-25 2018-01-25 Cisco Technology, Inc. Intelligent backup system
US20190018961A1 (en) * 2017-07-12 2019-01-17 Acronis International Gmbh Method for decrypting data encrypted by ransomware

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "Decrypting Chimera ransomware - Malwarebytes Labs | Malwarebytes Labs", 11 August 2016 (2016-08-11), XP055712011, Retrieved from the Internet <URL:https://blog.malwarebytes.com/cybercrime/2016/08/decrypting-chimera-ransomware/> [retrieved on 20200706] *
DANNY PALMER: "Not sure which ransomware has infected your PC? This free tool could help you find the right decryption package | ZDNet", 3 October 2017 (2017-10-03), XP055711996, Retrieved from the Internet <URL:https://web.archive.org/web/20171003085928/https://www.zdnet.com/article/not-sure-which-ransomware-has-infected-your-pc-this-free-tool-could-help-you-find-the-right/> [retrieved on 20200706] *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095236A (en) * 2021-11-17 2022-02-25 安天科技集团股份有限公司 Key searching method and device, computing equipment and storage medium
CN114095236B (en) * 2021-11-17 2023-11-10 安天科技集团股份有限公司 Key searching method, device, computing equipment and storage medium

Also Published As

Publication number Publication date
CN113228016A (en) 2021-08-06

Similar Documents

Publication Publication Date Title
EP3707631B1 (en) File recovery using anti-virus engine and backup provider
CN112074836B (en) Apparatus and method for protecting data through trusted execution environment
US10977384B2 (en) Hardware protection for differential privacy
EP3316166B1 (en) File-modifying malware detection
US10127384B2 (en) Firmware verified boot
US8612398B2 (en) Clean store for operating system and software recovery
US8375437B2 (en) Hardware supported virtualized cryptographic service
US10205748B2 (en) Protection for computing systems from revoked system updates
US20070014416A1 (en) System and method for protecting against dictionary attacks on password-protected TPM keys
US20070192630A1 (en) Method and apparatus for securing the privacy of sensitive information in a data-handling system
US11601281B2 (en) Managing user profiles securely in a user environment
US10831888B2 (en) Data recovery enhancement system
US11537704B2 (en) Enforcing trusted application settings for shared code libraries
EP3531324B1 (en) Identification process for suspicious activity patterns based on ancestry relationship
US10122739B2 (en) Rootkit detection system and method
US11238157B2 (en) Efficient detection of ransomware attacks within a backup storage environment
US8458491B1 (en) Cryptographically scrubbable storage device
WO2021098968A1 (en) Device and method for ransomware decryption
CN111008205A (en) Database security protection method and device
US11379593B2 (en) Storage monitoring
US11163908B2 (en) Device state driven encryption key management
US20220058281A1 (en) Detection of an unauthorized modification to storage and restoration of the storage
KR20190042018A (en) Techniques for preserving protected secrets across security boot updates
WO2022002405A1 (en) Device and method for generating, using and optimizing a honeypot
CN112613058A (en) Method and device for retrieving encryption key, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19808781

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19808781

Country of ref document: EP

Kind code of ref document: A1