Hackers use ransomware to go after every industry. return access to the victim’s files. It is a profitable business. Ransomware gangs in the first six months of 2023 although most govt . More and more security professionals are teaming up with law enforcement agencies to provide free encryption tools – freeing locked files and eliminating the temptation for victims to hunt.
Ransomware decryptors have several main ways to develop tools: reverse engineering for bugs, working with law enforcement, and collecting publicly available encryption keys. The length of the process varies depending on how complex the code is, but typically it requires information about encrypted files, unencrypted versions of the files, and server information from the hacking group. “Having only an encrypted file of the output is usually useless. You need the sample itself, the executable file,” said Jakub Kroustek, director of malware research at Avast antivirus business. It’s not easy, but when it works, it pays dividends for affected victims.
First, we need to understand how encryption works. For a very simple example, a piece of data might start out as a known sentence, but after being encrypted it looks like “J qsfgfs dbut up epht”. If we know that one of the unencrypted words in “J qsfgfs dbut up epht” must be “cat”, we can begin to determine what pattern is applied to the original text to get the encrypted result. In this case, each letter is the standard English alphabet pushed forward: AB becomes BC, and “I prefer cats to dogs” becomes the nonsense above. This is more complicated for the types of encryption used by ransomware gangs, but the principle remains the same. An encryption pattern is also known as a “key,” and researchers can create a tool that decrypts files by extracting the key.
Some forms of encryption, such as the Advanced Encryption Standard with 128-, 192-, or 256-bit keys, are virtually unbreakable. At the most advanced level, bits of unencrypted “plaintext” data, divided into chunks called “blocks,” go through 14 rounds of transformations and are then extracted in encrypted — or “ciphertext” — form. “We don’t yet have quantum computing technology that can break encryption technology,” said John Clay, vice president of threat intelligence at security software company Trend Micro. But luckily for victims, hackers don’t always use strong methods like AES to encrypt files.
Although some cryptographic schemes are virtually uncrackable , and inexperienced hackers are likely to make mistakes. If hackers don’t implement a standard scheme like AES and choose to build their own instead, researchers can investigate bugs. Why would they do that? Mainly ego. “They want to do something themselves because they like it or they think it’s better for speed purposes,” said Jornt van der Wiel, a cybersecurity researcher at Kaspersky.
For example, how Kaspersky cracked the password ransomware strain. It was a targeted strain aimed at specific companies with an unknown list of victims. Yanluowang used the Sosemanuk stream cipher to encrypt the data: a free process that encrypts a plaintext file one digit at a time. He then encrypted the key using another encryption standard, the RSA algorithm. But there was a flaw in the pattern. The researchers were able to compare the plaintext with the encrypted version as explained above and reverse engineer the decryption tool. . In fact, there are tons that are .
According to Kroustek, ransomware decryptors will use software engineering and cryptography knowledge to obtain the ransomware key and create a decryption tool from there. More advanced cryptographic processes may require either brute forcing or educated guesses based on available information. Sometimes hackers use a pseudo-random number generator to generate a key. The true RNG will be random, but that means it won’t be easily predictable. A pseudo-RNG, as explained by van der Wiel, can rely on an existing pattern to appear random when it actually isn’t—the pattern can be based on the time it was generated, for example. If the researchers know some of it, they can try different time values until they extract the key.
But getting that key often relies on working with law enforcement to learn more about how hacker groups operate. If researchers can get the hacker’s IP address, they can ask the local police to take over the servers and get a cache of their content. Or, if hackers have used a proxy server to hide their location, police can use traffic analyzers like NetFlow to determine where the traffic is going and retrieve information from it, according to van der Wiel. The makes this possible across international borders, as it allows police to urgently request an image of a server in another country while waiting for an official inquiry to go through.
The server provides information about the hacker’s activities, such as who they can target or the process of demanding a ransom. This can tell ransomware decryptors the process hackers go through to encrypt data, details about the encryption key, or access to files that can help reverse the process. Researchers scan server logs for details in the same way you can help your friend learn details about their Tinder history to make sure they’re legit, looking for clues or details about malicious patterns that can help rule out true intentions. Researchers can, for example, discover a portion of a plaintext file to compare with an encrypted file to begin the process of reverse engineering the key, or perhaps find parts of a pseudo-RNG that can begin to explain the encryption pattern.
works with Create a decryption tool for Babuk Tortilla ransomware. This version of the ransomware targeted healthcare, manufacturing and national infrastructure, encrypting victims’ devices and deleting valuable backups. Avast had already created a generic Babuk decryption, but the Tortilla strain was difficult to crack. The Dutch Police and Cisco Talos worked together to catch the person behind the strain, gaining access to Tortilla’s decryption in the process.
But often the easiest way to become familiar with these encryption tools is from the ransomware gangs themselves. Maybe they are retiring or just feeling generous, but attackers sometimes happen . Security professionals can then use the key to generate a decryption tool and release it for victims to use later.
In general, experts can’t share much about the process without helping ransomware gangs. If they reveal common bugs, hackers can easily use this to improve their next ransomware attempt. If the researchers tell us what encrypted files they’re working on now, the gangs will know what they’re on. But the best way to avoid paying is to be proactive. “If you’ve done a good job of backing up your data, you have a better chance of not having to pay,” Clay said.
