Hackers are using ransomware to attack every industry, to provide access to a victim's files. It's a lucrative business. In the first six months of 2023, ransomware gangs even though most governments . Increasingly, security professionals are partnering with law enforcement to provide free decryption tools, freeing locked files and eliminating the temptation for victims to take them.
Ransomware decryptors have several primary methods for creating tools: reverse engineering to detect errors, working with law enforcement, and collecting publicly available encryption keys. The length of the process varies depending on the complexity of the code, but it generally requires information about the encrypted files, unencrypted versions of the files, and server information from the hacking group. “Just because the output file is encrypted is usually unnecessary. You need the sample itself, the executable file,” said Jakub Kroustek, director of malware research at antivirus company Avast. It's not easy, but it pays dividends for affected victims when it works.
First, we need to understand how encryption works. For a very basic example, let's say a piece of data may have started out as a recognizable phrase, but appears as “J qsfgfs dbut up epht” once it has been encrypted. If we know that one of the unciphered words in “J qsfgfs dbut up epht” is supposed to be “cats”, we can begin to determine what model was applied to the original text to obtain the encrypted result. In this case, it's just the standard English alphabet, with each letter moved forward one place: A becomes B, B becomes C, and “I prefer cats to dogs” becomes the above string of nonsense . It's much more complex for the types of encryption used by ransomware gangs, but the principle remains the same. The encryption model is also known as the “key,” and by deducing the key, researchers can create a tool that can decrypt files.
Some forms of encryption, such as the 128-, 192-, or 256-bit Advanced Encryption Standard, are virtually unbreakable. At its most advanced level, chunks of unencrypted “plaintext” data, divided into chunks called “blocks,” are put through 14 transformation cycles, then output in their encrypted form – or “ciphertext.” “We don't yet have the quantum computing technology that can break encryption technology,” said Jon Clay, vice president of threat intelligence at security software company Trend Micro. But luckily for victims, hackers don't always use powerful methods like AES to encrypt files.
Even though some cryptographic systems are virtually unbreakable , and inexperienced hackers will likely make mistakes. If hackers do not apply a standard system, like AES, and instead choose to create their own, then researchers can look for errors. Why would they do that? Especially the ego. “They want to do something themselves because they like it or because they think it's better for speed reasons,” said Jornt van der Wiel, a cybersecurity researcher at Kaspersky.
For example, this is how Kaspersky decrypted the ransomware strain. This was a targeted strain targeting specific businesses, with an unknown victim list. Yanluowang used Sosemanuk stream cipher to encrypt the data: a free process that encrypts the plain text file one digit at a time. Then it encrypted the key using an RSA algorithm, another type of encryption standard. But there was a flaw in the model. The researchers were able to compare the plain text to the encrypted version, as explained above, and reverse engineer a decryption tool. . In fact, there are tons of them who have .
Ransomware decryptors will use their knowledge of software engineering and cryptography to obtain the key to the ransomware and, from there, create a decryption tool, according to Kroustek. More advanced cryptographic processes may require either brute forcing or educated guesses based on available information. Sometimes hackers use a pseudo-random number generator to create the key. Real RNG will be random, but that means it won't be easy to predict. A pseudo-RNG, as van der Wiel explains, can rely on an existing pattern to appear random when it actually isn't – the pattern can be based on the time it was created, for example. If researchers know part of it, they can try different time values until they deduce the key.
But getting that key often requires working with law enforcement to get more information about how hacking groups operate. If researchers can obtain the hacker's IP address, they can ask local police to seize the servers and obtain a memory dump of their contents. Or, if the hackers used a proxy server to hide their location, police can use traffic analyzers like NetFlow to determine where the traffic is going and get the information from there, according to van der Wiel. THE makes this possible across international borders as it allows police to urgently request an image from a server in another country while waiting for the official request to be accepted.
The server provides information about the hacker's activities, such as who they might target or how to extort a ransom. This can tell ransomware decryptors the process hackers follow to encrypt data, details about the encryption key, or access to files that can help them reverse engineer the process. Researchers go through server logs for details the same way you might help your friend find details about their Tinder date to make sure it's legit, looking for clues or details about malicious models that can help uncover true intentions. Researchers may, for example, discover part of the plain text file to compare to the encrypted file to begin the process of reverse engineering the key, or perhaps they will find parts of the pseudo-RNG that can begin to explain the encryption model.
Work with create a decryption tool for Babuk Tortilla ransomware. This version of the ransomware targeted healthcare, manufacturing, and national infrastructure, encrypting victims' devices and deleting valuable backups. Avast had already created a generic Babuk decryptor, but the Tortilla strain proved difficult to decrypt. Dutch police and Cisco Talos worked together to apprehend the person behind the strain and gained access to the Tortilla decryptor.
But often the easiest way to offer these decryption tools is from the ransomware gangs themselves. Maybe they're retiring or just feeling generous, but attackers will sometimes . Security experts can then use the key to create a decryption tool and publish it for victims to use in the future.
In general, experts can't talk much about the process without giving ransomware gangs a helping hand. If they disclose common errors, hackers can use them to easily improve their next ransomware attempts. If researchers tell us what encrypted files they are currently working on, the gangs will know they are tracking them. But the best way to avoid paying is to be proactive. “If you've done a good job backing up your data, you have a much better chance of not having to pay,” Clay said.