Hackers target all industries using ransomware to regain access to victims' files. This is a lucrative business. The first six months of 2023 saw the emergence of ransomware gangs, including most governments. Security experts are increasingly working with law enforcement agencies to provide free decryption tools, freeing locked files and eliminating the temptation for victims to cheat.
There are several main ways ransomware decryptors develop tools. It's about reverse engineering mistakes, working with law enforcement, and collecting publicly available encryption keys. The length of the process varies depending on the complexity of the code, but typically requires information about the encrypted files, unencrypted versions of the files, and server information from the hacking group. “Just encrypting the output file usually doesn't help. You need the sample itself, the executable file,” said Jakub Krstec, director of malware research at antivirus company Avast. It won't be easy, but hopefully it will benefit the affected victims.
First, you need to understand how encryption works. As a very basic example, suppose some piece of data starts out as a recognizable sentence, but when encrypted it appears like “J qsfgfs dbut up epht”. If I know that one of the unencrypted words in “J qsfgfs dbut up epht” is “cats”, what pattern should I apply to the original text to get the encrypted result? You can begin to determine what has been done. In this case, this is each letter of the standard English alphabet advanced by one. A becomes B, B becomes C, and “I prefer cats to dogs” becomes the above nonsense string. It's much more complex than the type of encryption used by ransomware gangs, but the principle is the same. The encryption pattern is also called a “key,” and researchers can create tools that can decrypt files by guessing the key.
Some forms of encryption are virtually unbreakable, such as Advanced Encryption Standard with 128-, 192-, or 256-bit keys. At the most advanced level, bits of unencrypted “plaintext” data divided into chunks called “blocks” undergo 14 rounds of transformation and are output in encrypted (or “ciphertext”) form. Masu. “We don't yet have quantum computing technology that can break encryption,” said John Clay, vice president of threat intelligence at security software company Trend Micro. However, fortunately for the victims, the hacker does not always use strong methods such as AES to encrypt the files.
Some encryption schemes are virtually unbreakable, and inexperienced hackers can make mistakes. If a hacker does not apply a standard scheme such as his AES and chooses to build his own scheme, researchers can explore the error. Why do they do this? Mostly ego. “They want to do something themselves because they like it or they think it's better for speed,” said Jornt van der Wiel, a cybersecurity researcher at Kaspersky Lab. ” he says.
For example, here's how Kaspersky decrypted a ransomware strain. This was a targeted stock targeting a specific company, and the list of victims was unknown. Yanluowang encrypted the data using the Sosemanuk stream cipher. This is a free-to-use process that encrypts plaintext files one digit at a time. The key was then encrypted using another type of encryption standard, the RSA algorithm. But that pattern was flawed. The researchers were able to compare the plaintext and encrypted versions and reverse engineer the decryption tool, as described above. In fact, there are many that have .
Kroustek said ransomware decryptors use their knowledge of software engineering and cryptography to obtain ransomware keys and create decryption tools from there. More advanced encryption processes may require either brute force attacks or educated guesses based on available information. Hackers sometimes use pseudo-random number generators to create keys. Her real RNG is naturally random, but that means it can't be easily predicted. As van der Wiel explained, pseudo-RNGs can appear to rely on pre-existing patterns, when in fact they are not random. For example, a pattern might be based on the time it was created. If researchers know some of it, they can try different time values until they guess the key.
But getting that key often requires working with law enforcement to obtain more information about how hacking groups operate. If researchers can obtain the hacker's IP address, they can ask local police to seize the server and obtain a memory dump of its contents. Van der Weel said if a hacker uses a proxy server to hide his location, police could use a traffic analyzer like NetFlow to determine where the traffic is going and obtain information from there. That's what it means. This allows police to do this across borders, as they can request images of servers in other countries on an urgent basis, pending the completion of a formal request.
The server provides information about the hacker's activities, including their targets and the process of extorting ransom money. This allows ransomware decryptors to learn the process the hacker took to encrypt the data, details about the encryption key, or access to files that can help reverse engineer the process. Researchers combed through server logs to find out his true intentions, much like a friend might look into the details of his Tinder dates to make sure they're legitimate. Look for clues and details about malicious patterns that can help. A researcher might, for example, discover a portion of the plaintext file and compare it to the encrypted file, beginning the process of reverse engineering the key. Or you might find a piece of pseudo-RNG that can start explaining the encryption pattern.
Create a Babuk Tortilla ransomware decryption tool. This version of the ransomware targeted healthcare, manufacturing, and national infrastructure, encrypting victims' devices and deleting valuable backups. Avast had already created a general-purpose Babuk decryption tool, but the Tortilla strain proved difficult to decrypt. Dutch police and his Cisco Talos teamed up to arrest the person behind this strain, and in the process he gained access to the Tortilla decoder.
But often the easiest way to come up with these decryption tools comes from the ransomware gangs themselves. Maybe they're retired or just feeling generous, but attackers will do that sometimes. Security experts use that key to create a decryption tool and release it for future use by victims.
Experts generally cannot share much about the process without giving ransomware groups an advantage. By divulging common mistakes, hackers can easily use them to improve their next ransomware attempt. If researchers tell us what encrypted files they are currently working on, gangs will know they are targeting them. But the best way to avoid paying is to be proactive. “If you have a good backup of your data, you're much more likely to avoid having to pay,” Clay says.
