CryptoAPI

From ema
Jump to navigation Jump to search
EMA ID: ema-1097
Description: The Microsoft CryptoAPI includes functions to encrypt and decrypt data; these are commonly imported and used by malware (particularly ransomware) to encrypt user data/files on a system.
Associated Behavior: & Encrypt Files for Ransom (mobile)
Privilege Level: User space
Supporting Details:
Applicable API Functions include:
  • CryptImportKey
  • CryptEncrypt
  • CryptDecrypt


Inherited Attributes:

applicable platform: Windows 10, Windows 7, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2003 SP1, Windows Server 2003 SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 SP1, Windows Server 2008 SP1, Windows Server 2008 SP2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows Vista SP1, Windows Vista SP2, Windows XP, Windows XP SP1, Windows XP SP2, Windows XP SP3
encryption algorithm: AES 256, RSA, rc4
References:
Date Malware Family URL
September 24, 2014 CryptoWall http://www.bromium.com/sites/default/files/bromium-report-ransomware.pdf
November 27, 2013 CryptoLocker http://labs.bromium.com/2013/11/27/the-holiday-season-and-ransomware/