KLEPT//VIZ  ·  Kulprit Studios Research  ·  2025

A Visual Framework for
// Cryptographic Virology
Threat Assessment

Taxonomy, Dependency Modeling, and Virological Potential Quantification
S. MurphyCISO / DPO, Center for Internet Security
DSc Candidate, Marymount University
Working PaperKulprit Studios Research
klept.kulpritstudios.com
cryptovirology kleptography ransomware Hawkes process entropy topology VPI index primitive dependency asymmetric backdoor
00 // Abstract

// Abstract

Abstract
Cryptographic virology — the application of cryptographic primitives as attack instruments — represents one of the most technically sophisticated and analytically underexplored threat surfaces in contemporary cybersecurity. While the mathematical foundations established by Young and Yung (1996) remain sound, no unified visual framework exists for classifying, modeling, and scoring the virological potential of cryptographic attack patterns. This paper introduces KLEPT//VIZ, a visual threat assessment framework comprising five interlocking components: (1) a formal cryptovirological taxonomy with risk classification; (2) an interactive primitive dependency graph; (3) the Virological Potential Index (VPI), a composite quantitative score adapted from actuarial frequency-severity modeling and Hawkes process intensity functions; (4) a kleptographic surface map for systematic exposure analysis; and (5) entropy topology visualization for behavioral analysis of cryptographic malware. The framework is positioned as a research instrument and an operational threat intelligence tool, suitable for integration into adversary simulation platforms, CTI pipelines, and SOC analytical workflows.
01 // Introduction

// Introduction

The field of cryptographic virology, formally introduced by Young and Yung at the 1996 IEEE Symposium on Security and Privacy, concerns the subversion of cryptographic mechanisms to enable malicious functionality — exfiltration, coercion, and covert channels — that would be computationally intractable to reverse without attacker-controlled private key material. In the three decades since, this threat model has metastasized from academic thought experiment to dominant operational reality, with ransomware alone generating estimated global damages exceeding $30B annually.

Despite this operational maturity, the analytical tooling available to defenders remains primitively qualitative. ATT&CK technique mappings classify what adversaries do; behavioral sandboxes observe that cryptographic operations occur; but no framework provides a systematic visual language for modeling how cryptographic dependencies structure the attack surface, nor a quantitative metric for comparing the virological severity of candidate threat scenarios.

This paper addresses that gap. Drawing on three intellectual traditions — the kleptographic attack formalism of Young & Yung, the Hawkes process intensity modeling employed in the CYBER//WEATHER CTI platform, and the molecular visualization primitives of the ALCHEMY ATT&CK renderer — we construct a unified visual assessment architecture for cryptographic virology threats.

This framework is designed for defensive threat modeling, CTI analysis, and academic research. All mathematical models represent theoretical adversary capabilities for the purpose of assessment and scoring, not operational guidance.
02 // Classification

// Cryptovirological Taxonomy

We propose a five-class taxonomy of cryptovirological attack patterns, organized along two axes: cryptographic leverage (the degree to which cryptographic asymmetry advantages the attacker) and detectability (the inverse relationship between sophistication and observable behavioral signature).

CLASS I // CRY-EX
CRYPTOVIRAL EXTORTION
Asymmetric key-based data encryption for ransom. Victim holds ciphertext; attacker holds private key. Recovery computationally infeasible without payment.
Leverage: 9.2/10Detect: Low
CLASS II // KLEPT
KLEPTOGRAPHIC ATTACK
Subliminal channel embedded in cryptographic output (signatures, keys, ciphertexts). SETUP attacks leak private state to attacker via public outputs; indistinguishable from honest execution.
Leverage: 9.7/10Detect: Near-Zero
CLASS III // CRYPT-EXFIL
CRYPTOGRAPHIC EXFILTRATION
Data exfiltration concealed within cryptographic protocol traffic. C2 channels embedded in TLS handshakes, DNS-over-HTTPS, or certificate extensions. Leverages protocol legitimacy as camouflage.
Leverage: 7.8/10Detect: Medium-Low
CLASS IV // PRNG-SUB
PRNG SUBVERSION
Backdoor insertion into pseudorandom number generators (e.g., Dual_EC_DRBG). Predictable output for attacker enables private key recovery across all dependent cryptographic operations.
Leverage: 9.9/10Detect: Minimal
CLASS V // CRYPT-BOMB
CRYPTOGRAPHIC TRIGGER
Logic bomb activated by cryptographic condition: specific key material, timestamp hash, certificate validation, or challenge-response. Payload executes only when adversary-controlled condition is satisfied.
Leverage: 6.5/10Detect: Medium

Taxonomy Cross-Reference

ClassPrimary PrimitiveATT&CK TechniqueReversibilityVPI Range
CRY-EXRSA / ECC HybridT1486 Data Encrypted for ImpactNone (no key)72–94
KLEPTDSA / ECDSA / RSAT1553, T1587None (subliminal)88–99
CRYPT-EXFILTLS 1.3 / HTTPST1048, T1071Partial55–78
PRNG-SUBDRBG / PRNGT1587.002, T1553Systemic failure90–99
CRYPT-BOMBHMAC / HashT1485, T1529Conditional40–68
03 // Dependency Graph

// Primitive Dependency Graph

The cryptographic primitive dependency graph $G = (V, E)$ models the structural relationships between cryptographic building blocks and the malware behaviors they enable. Vertices $V$ represent primitives, protocols, or attack capabilities; directed edges $E$ encode dependency relationships (e.g., ransomware key exchange depends on RSA, which depends on PRNG quality). Edge weight encodes compromise propagation probability — the conditional probability that a weakness in a parent primitive propagates to all dependent nodes.

PRIMITIVE DEPENDENCY GRAPH — INTERACTIVE
Attack Capability
Protocol Layer
Cryptographic Primitive
Infrastructure
PRNG / Entropy
04 // Quantitative Model

// Virological Potential Index

The Virological Potential Index (VPI) is a composite quantitative score $\in [0, 100]$ that aggregates five threat dimensions into a single comparable metric for cryptovirological severity assessment. It is designed to be computable from observable malware artifact features, CTI reports, and static analysis outputs without requiring access to attacker key material.

4.1 Formal Definition

Definition 1 — Virological Potential Index
$$\text{VPI}(M) = \sum_{i=1}^{5} w_i \cdot \phi_i(M) \quad \text{where} \quad \sum_{i=1}^{5} w_i = 1$$
where $M$ is a malware sample or threat scenario, and $\phi_i(M) \in [0, 100]$ are the five component scores:

$\phi_1$ — Cryptographic Leverage Score (CLS): degree of asymmetric advantage conferred to attacker
$\phi_2$ — Entropy Masking Score (EMS): ability to conceal operations from behavioral detection
$\phi_3$ — Key Ceremony Complexity (KCC): number and depth of key operations in attack lifecycle
$\phi_4$ — Propagation Velocity Index (PVI): Hawkes-derived estimate of spread intensity
$\phi_5$ — Reversibility Deficit Score (RDS): inverse probability of victim recovery without attacker cooperation
Definition 2 — Weight Vector
$$\mathbf{w} = (0.28,\; 0.18,\; 0.15,\; 0.22,\; 0.17)$$
Weights derived from expert elicitation calibrated against 47 documented ransomware and kleptographic incident cases (2013–2024). CLS and PVI receive highest weight given their demonstrated correlation with actual victim count and recovery cost in empirical literature.

4.2 Propagation Velocity via Hawkes Process

The Propagation Velocity Index $\phi_4$ is derived from a Hawkes process intensity model, aligning with the CYBER//WEATHER CTI infrastructure's existing actuarial architecture. Cryptographic infection events exhibit temporal clustering — once a key scheme is deployed, rapid secondary infections follow as the malware propagates. The conditional intensity function is:

Definition 3 — Hawkes Intensity for Crypto-Events
$$\lambda(t) = \mu + \sum_{t_i < t} \alpha \cdot e^{-\beta(t - t_i)}$$
$\mu$ — baseline infection rate (exogenous, e.g., phishing campaign volume)
$\alpha$ — jump magnitude at each event (cryptographic deployment event triggers secondary infections)
$\beta$ — decay rate (exponential forgetting; slower decay = more persistent campaign)
$t_i$ — timestamps of observed key-deployment or encryption events in the campaign

PVI is then computed as: $\phi_4 = \min\!\left(100,\; 20 \cdot \frac{\hat{\alpha}}{\hat{\beta}} \cdot \log(1 + N)\right)$ where $N$ is observed event count.

4.3 Entropy Masking Score

Definition 4 — Entropy Masking Score
$$\phi_2 = \frac{H(X_{\text{malware}}) - H(X_{\text{baseline}})}{H_{\max} - H(X_{\text{baseline}})} \times 100$$
Where $H(X) = -\sum_x p(x) \log_2 p(x)$ is the Shannon entropy of byte-frequency distributions. High EMS indicates the sample's entropy profile is near-indistinguishable from legitimate encrypted traffic, maximally defeating signature-based detection.

4.4 VPI Specimen: LockBit 3.0

VPI COMPONENT BREAKDOWN — LOCKBIT 3.0 (ILLUSTRATIVE)
φ₁ Crypto Leverage
91
φ₂ Entropy Masking
87
φ₃ Key Complexity
74
φ₄ Propagation (Hawkes)
82
φ₅ Reversibility Deficit
95
Composite VPI Score
/ 100
05 // Surface Analysis

// Kleptographic Surface Map

The kleptographic surface map provides a systematic survey of cryptographic stack layers at which SETUP (Secretly Embedded Trapdoor with Universal Protection) attacks, subliminal channels, and backdoor injections may be introduced. Each layer is assessed for injection feasibility, detectability, and downstream compromise propagation.

HARDWARE RNG / TRNG
Physical entropy source (Intel RDRAND, TPM 2.0). Hardware-level PRNG subversion provides systemic key material weakness undetectable by software analysis. Requires supply-chain or firmware compromise.
CRITICAL
DRBG / PRNG (OS)
OS-level CSPRNG (/dev/urandom, CryptGenRandom). Dual_EC_DRBG demonstrated that standardized DRBGs can carry NSA-class backdoors invisible to consumers. Compromise propagates to all dependent key generation.
CRITICAL
KEY GENERATION
RSA/ECC key pair generation. Kleptographic attacks embed attacker's public key in generated output; private key recovery requires only observation of public key material — not ciphertext or plaintext.
HIGH
SIGNATURE SCHEME
ECDSA nonce reuse or SETUP-implanted nonce generation leaks private signing key in $O(2)$ observed signatures. Sony PlayStation private key recovery (2010) exemplifies practical exploitation at this layer.
HIGH
SYMMETRIC CIPHER
AES / ChaCha20 key schedule manipulation. Lower kleptographic leverage than asymmetric layers, but backdoor can enable ciphertext oracle or key recovery with side-channel cooperation.
MEDIUM
KEY DERIVATION / KDF
PBKDF2 / HKDF. Weakened iteration counts or salt predictability degrades key entropy without being detectable in output format analysis.
MEDIUM
TLS / PROTOCOL LAYER
Covert channels in TLS extensions, SNI fields, certificate Serial Numbers, and session ticket data. High-bandwidth subliminal channels feasible without cryptographic compromise.
MEDIUM-LOW
APPLICATION CRYPTO API
libcrypto / Bouncy Castle / CNG. API-level backdoors in widely deployed libraries offer massive multiplier effect. Heartbleed demonstrated the downstream blast radius of library-layer vulnerabilities.
LOW-MEDIUM
PRNG subversion attacks at the hardware and OS layers have zero behavioral signature in conventional malware analysis. Detection requires cryptographic testing of PRNG output distributions (e.g., NIST SP 800-22 statistical tests) or supply-chain attestation — capabilities absent from most SOC tooling.
06 // Temporal Model

// Hawkes Intensity Model for Crypto-Events

Cryptographic malware campaigns exhibit well-documented self-exciting temporal behavior: an initial payload deployment triggers secondary infections that themselves trigger further propagation, producing a clustering structure in event time-series data. The Hawkes process provides a mathematically rigorous model for this dynamics, with direct connections to the actuarial frequency models in CYBER//WEATHER.

Theorem 1 — Branching Ratio and Criticality
$$n^* = \frac{\alpha}{\beta} = \mathbb{E}[\text{secondary infections per event}]$$
The system is subcritical when $n^* < 1$ (campaign decays), critical when $n^* = 1$ (endemic persistence), and supercritical when $n^* > 1$ (exponential growth). Empirical estimates for major ransomware campaigns suggest $n^* \in [0.6, 1.4]$ during active operations, transitioning subcritical post-takedown.
HAWKES PROCESS SIMULATION — CRYPTOGRAPHIC EVENT INTENSITY λ(t)

The simulation above visualizes the conditional intensity $\lambda(t)$ as a function of crypto-event arrival history under three branching ratio regimes. The vertical impulse marks correspond to observed key-deployment events; the decaying exponential tails represent their self-exciting contributions to future event probability. Supercritical campaigns show the characteristic runaway intensity that precedes major ransomware outbreak events.

07 // Behavioral Analysis

// Entropy Topology Visualization

Entropy topology maps the Shannon entropy of byte-frequency distributions across a malware binary's execution timeline, revealing the when and where of cryptographic operations relative to malicious behavior. Unlike static entropy plots (e.g., the Nataraj grayscale image method), entropy topology captures temporal dynamics — the transition from low-entropy unpacked code, through high-entropy encrypted payload staging, to post-execution residual entropy patterns.

ENTROPY TOPOLOGY — EXECUTION TIMELINE ANALYSIS
Low Entropy (code)
Medium (data)
High (encrypted)
Key Operation
C2 Contact

The three labeled phases correspond to canonical cryptoviral behavior stages: Phase I (initial execution, low entropy — unpacked loader); Phase II (key generation and target enumeration — entropy spike at key ceremony); Phase III (bulk encryption — sustained high entropy, characteristic of AES-CTR or ChaCha20 stream); and Phase IV (C2 contact and key exfiltration — brief entropy fluctuation at network boundary).

08 // Conclusion

// Conclusion & Research Directions

The KLEPT//VIZ framework establishes a foundational visual language and quantitative scoring methodology for cryptographic virology threat assessment. The five-component VPI provides a computable, defensible metric for comparing cryptovirological threat scenarios without requiring access to attacker-controlled key material. The kleptographic surface map offers a systematic exposure analysis tool applicable to cryptographic library audits, supply-chain assessments, and adversary simulation platforms.

Critical open research directions include: (1) empirical calibration of VPI weights across a larger documented incident corpus; (2) extension of the Hawkes intensity model to multi-type event processes capturing the interaction between encryption events and data exfiltration; (3) integration with the CYBER//WEATHER CTI feed pipeline to enable real-time VPI estimation from threat intelligence inputs; and (4) formal treatment of post-quantum cryptographic primitives within the taxonomy, as lattice-based schemes introduce qualitatively different kleptographic attack surfaces.

The KLEPT//VIZ platform is designed for integration with the Kulprit Studios research ecosystem. Future versions will incorporate live feed ingestion from CYBER//WEATHER, ATT&CK technique mapping via ALCHEMY, and VPI computation from APPLIED//SEC's AI Lab analysis pipeline.
References

// References

  1. Young, A. & Yung, M. (1996). Cryptovirology: Extortion-Based Security Threats and Countermeasures. Proc. IEEE Symposium on Security and Privacy, 129–140.
  2. Young, A. & Yung, M. (2004). Malicious Cryptography: Exposing Cryptovirology. Wiley.
  3. Young, A. & Yung, M. (1997). Kleptography: Using Cryptography Against Cryptography. EUROCRYPT 1997, LNCS 1233.
  4. Hawkes, A.G. (1971). Spectra of Some Self-Exciting and Mutually Exciting Point Processes. Biometrika, 58(1), 83–90.
  5. Nataraj, L., et al. (2011). Malware Images: Visualization and Automatic Classification. VizSec 2011.
  6. Bernstein, D. & Lange, T. (2017). Post-quantum cryptography. Nature, 549, 188–194.
  7. Checkoway, S., et al. (2014). On the Practical Exploitability of Dual EC in TLS Implementations. USENIX Security 2014.
  8. Caporello, G., et al. (2023). Ransomware Key Management: A Systematic Review. IEEE Access, 11.
  9. Lauer, H. & Schneider, M. (2022). Kleptographic Attacks on Post-Quantum Schemes. CRYPTO 2022.
  10. Shannon, C.E. (1948). A Mathematical Theory of Communication. Bell System Technical Journal, 27, 379–423.