Assessment guidelines *** you have choice to make assignment on encryption/decryption and key management *** This assessment is worth 80% of the total assessment for the unit. It is an individual assessment. While associates can discuss the assessment with each other, each individual should submit its own work. Due date :- 25th may, 5 PM On successful completion of this assessment you should be able to: 1. Analyze networked systems to identify security requirements; 2. Evaluate and select appropriate security technologies for a given network situation; and 3. Apply cryptographic protocols to achieve a variety of security goals for a given online system; You will develop a model educational ransomware by applying the cryptography knowledge gained through lectures and tutorials. A basic ransomware may make use of almost all cryptographic services and mechanisms; and hence it forms the most suitable real-world application for IFN642. An individual will be responsible for building the necessary literature and background on ransomwares, you will address one specific payload of the final ransomware design. Ransomware :- Ransomware is a malware which encrypts valuable files on victim's computer and requests ransom in return of a decryption tool. CryptoWallv3 and TorrentLocker are two example ransomwares which infect a computer, encrypt valuable files, poison backups and demand untraceable ransom payment in electronic currency in return of a decryption tool. In such situations, most victims get the advice "install a new system and restore files from the backup if you have a recent clean backup, or pay the ransom" simply because there is no other effective method available. Ransomware is a rising threat affecting almost everyone and every organization including QUT. Companies are in need of staff with knowledge, advanced capabilities and cognitive skills to deal with this new complex threat. Clearly, a person to develop or reverse engineer a ransomware must have deep understanding of cryptographic services and mechanisms. Ransomwares may use different methods to search for victims' valuable files, stay persistent in the victims' system, encrypt files, manage encryption keys, communicate with command and control, extract ransom, and supply file recovery tools. This assessment focuses only to (i) file search and persistency, (ii) encryption, (iii) decryption (recovery), and (iv) key management. Hence, each member is required to design and implement one of the following 4 payloads. There might be several different ways to design and implement these payloads. You should discuss your selection within the final report. Payload 1: File search and persistency Ransomwares have a very limited time to selectively encrypt victims' (e.g., individuals or companies) files by targeting file types (such as .pptx, .docx, .pdf, .xlsx, .jpg, .png, etc) that threaten business continuity and intellectual property most. If this payload is properly designed and implemented, the ransomware may stay stealth and identify as many valuable files as possible to increase the chance of ransom extraction. Files that may cause system crash should not be touched. Ransomware should be careful about any shadow files or file journals which may include redundant copy of targeted files. These sorts of files should either be encrypted or deleted. A ransomware should have effective persistency mechanisms so that when a victim computer is restarted, ransomware should be able to continue its operations. A ransomware should take necessary precautions not to encrypt the same file more than once. In such a case, recovery of the original file becomes harder which may result in decreased ransom revenue. Payload 2: Encryption:- There are a vast variety of strong cryptographic mechanisms available to implement a ransomware encryption payload. A ransomware may include an encryption module as part of its payload or it may use local crypto library (such as OpenSSL) to access such encryption modules. In this project, you are expected to implement the encryption module. Library calls for file encryption or decryption are not permitted. Ransomware file encryption can use symmetric block encryption scheme (such as AED, 3DES, XTEA or RC5), symmetric stream encryption scheme (such as RC4 o A5) or asymmetric encryption scheme (such as RSA or Elliptic Curves). If a symmetric block encryption scheme is selected, a suitable block cipher modes of operation must be picked as well. Choice of encryption scheme is strongly related to the key management scheme. If encryption and decryption keys are the same, then it should be symmetric encryption scheme. If encryption and decryption keys are different, then it should be asymmetric encryption scheme. It should be noted that symmetric encryption schemes run faster than the asymmetric encryption schemes. Recall that the speed is very important in ransomware design because a ransomware should encrypt all targeted files before an AntiVirus tool detects it. Payload 3: Decryption Decryption is reverse of the encryption. A ransomware may carry its decryption module in. In that case, ransomware author must ensure that the decryption module becomes useful only when victim pays ransom. Alternatively, it can be a tool supplied to victim after ransom payment. Since, decryption runs after ransom extraction, it does not need to be fast or stealth. It must just ensure that all files are correctly recovered and they are accessible by victim. Note that, recovery process should be victim specific. The same decryption tool can be used by many victims but each victim should pay ransom to get the correct set of file decryption keys to recover his/her files. Moreover, no two files should have the same decryption key. Payload 4: Key management Key management is the most important feature for a ransomware. Depending on the choice of encryption scheme, symmetric or asymmetric, unique keys or key pairs must be generated, transferred or hidden on each victim's computer. Keys can be carried into the victim's computer, generated on the victim's computer using a random number generation library function, or calculated as the combination of the environmental observations of the victim's computer. Ransomware carrying keys into the victim computer do so by obfuscating the key. Ransomware that uses symmetric key cryptography can generate the key and hide it within the ransomware code, within the file system or store the key on a remote database server. Asymmetric key cryptography uses a public key for encryption and a private key for decryption. The private key is not kept on the victim's computer at all. There are two common approaches for using public keys. In the first approach, ransomware authors use a random symmetric key to encrypt files and the public key to encrypt the symmetric key. If the victim choses to pay the ransom, she has to send the encrypted symmetric key to the ransomware author for the ransomware author to recover the key and send it back. This requires the ransomware author to be honest (!). In the second approach, the most extreme case, the public key can be directly used to encrypt the files. Again, the decryption (private) key can only be recovered by paying the ransom. However, asymmetric key encryption causes a large computation overhead which may slow down the infected machine and be detected by users. Suggested Milestones Milestone 1:- Review of ransomware literature:you have to review 2 ransomwares by reading scientific publications or technical reports. Papers or technical reports read should be listed under the references section and cited within the text. Literature review should identify methods used by these ransomwares for searching files, providing persistency, encrypting, decrypting, managing keys, connecting to command and control and extracting ransom. Knowledge gained through this activity should be reported as part of the final report. Discussion of ethical implications: Each individual should review ethical implications of implementing ransomwares. you should identify the conditions and environmental settings required so that ransomware can be developed and tested safe. Knowledge gained through this activity should be reported as part of the final report. Please discuss output of milestone 1 with the lecturer. Milestone 2 :- Analysis of a sample code: Each person should analyze the sample ransomware code written in Python. Sample code uses local libraries to encrypt and decrypt files. Each individual can either develop its own ransomware from scratch or extend the sample ransomware with the new payloads. Knowledge gained through this activity should be reported as part of the final report. Ransomware design specification: Using the knowledge gained through literature review and sample ransomware analysis, each individual should come up with its own ransomware design consisting of methods to be used for searching files, providing persistency, encrypting, decrypting and managing keys. Reasons for choosing these methods, their advantages and disadvantages should be discussed in details. Project plan and task distribution: Based on the design, each individual should develop a project plan and timeline. Project plan should clearly list the tasks Please discuss output of milestone 2 with the lecturer. Milestone 3 Integration and tests of payloads: Following development of payloads, you can work together with other members to integrate their payloads and build a functional ransomware. Ransomware should be developed, integrated and tested in a virtual machine to prevent any harm to the host computer. Test procedure should cover functional correctness, persistency, timing, cpu usage, memory usage and percent of user files encrypted. Please discuss output of milestone 3 with the lecturer. Milestone 4 Individual reflections: Each individual should reflect on the learning activity. Reflections should discuss learning opportunities and challenges, level of efforts and quality of outputs. Each individual should discuss under what conditions this learning activity would be more productive and enjoyable. Deliver the final report and the code. Deliverables :- Please submit your assessment via the IFN642 Blackboard web site under the Assessment section. You are expected to deliver: 1. A final report with the following outline- a. Executive Summary b. Introduction c. Background and Literature Review i. Ransomwares ii. Common ransomware methods d. Analysis of the IFN642 Sample Code e. Ransomware Design i. File Search / Persistency ii. Encryption iii. Decryption iv. Key Management f. Project i. Objectives ii. Project plan and timeline iii. Development and test environment iv. Implementation details v. Test results g. Reflections h. Ethical Concerns i. Conclusions j. References k. Appendices 2. Ransomware code Please compress the assessment report and the ransomware code, and upload the compressed file to Blackboard. Make sure to include necessary readme files instructing how ransomware code can be compiled/interpreted and executed. The quality of the presentation of a formal technical report is as important as the quality of the technical content of the report in the profession: 1. The body text of your report should be no more than 30 pages in length excluding appendices; 2. The text of your report should be in 12-point Times New Roman and in single space; 3. Page size is A4 with 2cm in margins on all sides; 4. The report is suggested to be organised with cover page, executive summary within one page, table of contents, body text, references and appendices; QUT MOPP C/5.3 Academic Integrity - Plagiarism Plagiarism involves representing another person's (or persons') ideas or work as one's own. It may also include resubmitting one's own work for another assessment item. Common forms of plagiarism include: 1. direct copying, summarising, or paraphrasing another person's (or persons') work without appropriate acknowledgement of the sources (such acknowledgment must take the form required by the particular discipline) 2. using or developing an idea or hypothesis from another person's (or persons') work without appropriate acknowledgement 3. representing the work of another person (or persons') as the student's own work 4. copying non-word based material such as diagrams, musical score, audiovisual materials, art work, plans etc and presenting them as one's own work 5. using another person's (or persons') experimental results as one's own or without appropriate acknowledgment.