Abstract

Ransomware encrypts user files making management of the encryption key(s) critical to its success. Developing a better understanding of key management in ransomware is a necessary prerequisite to finding weaknesses that can be exploited for defensive purposes. We describe the evolution of key management as ransomware has matured and examine key management in 25 samples. Based on that analysis, we introduce a ransomware taxonomy that is analogous to hurricane ratings: a Category 5 ransomware is more virulent from a cryptographic standpoint than a Category 3. In our analysis of samples in light of the taxonomy, we observed that poor cryptographic models appear as recently as 2018.