RansomClave: Ransomware Key Management using SGX. (arXiv:2107.09470v1 [cs.CR])

Modern ransomware often generate and manage cryptographic keys on the
victim’s machine, giving defenders an opportunity to capture exposed keys and
recover encrypted data without paying the ransom. However, recent work has
raised the possibility of future enclave-enhanced malware that could avoid such
mitigations using emerging support for hardware-enforced secure enclaves in
commodity CPUs. Nonetheless, the practicality of such enclave-enhanced malware
and its potential impact on all phases of the ransomware lifecyle remain
unclear. Given the demonstrated capacity of ransomware authors to innovate in
order to better extort their victims (e.g. through the adoption of untraceable
virtual currencies and anonymity networks), it is important to better
understand the risks involved and identify potential mitigations.

As a basis for comprehensive security and performance analysis of
enclave-enhanced ransomware, we present RansomClave, a family of ransomware
that securely manage their cryptographic keys using an enclave. We use
RansomClave to explore the implications of enclave-enhanced ransomware for the
key generation, encryption and key release phases of the ransomware lifecycle,
and to identify potential limitations and mitigations.

We propose two plausible victim models and analyse, from an attacker’s
perspective, how RansomClave can protect cryptographic keys from each type of
victim. We find that some existing mitigations are likely to be effective
during the key generation and encryption phases, but that RansomClave enables
new trustless key release schemes that could potentially improve attacker’s
profitability and, by extension, make enclaves an attractive target for future
attackers.