Ransomware is a tool used by hackers to target any industry. They demand a high fee in exchange for restoring access to the victim’s files. It’s a profitable industry to work in. Despite the fact that the majority of governments advise against paying ransoms, ransomware criminals stole $449 million from its victims in the first half of 2023. Security experts and law enforcement are collaborating more often to offer free decryption tools, which releases locked material and removes the need for victims to pay up.
Ransomware decryptors generate tools in two main ways: by collecting publicly available encryption keys, collaborating with law enforcement, and reverse engineering errors. The complexity of the code determines how long the process takes, although it often needs knowledge about the encrypted and unencrypted files as well as server details from the hacking organisation. It is usually pointless to simply have the encrypted file as the output. The executable file, or sample, is required, according to Jakub Kroustek, director of malware research at antivirus company Avast. When it does work, it’s not simple, but it benefits the victims who are affected.
We must first comprehend the operation of encryption. As a very simple example, suppose that some data was originally intelligible sentence form and after encryption looks like “J qsfgfs dbut up epht”. Assuming that “cats” is one of the unencrypted words in “J qsfgfs dbut up epht,” we can begin deciphering the pattern that was applied to the original text in order to obtain the encrypted result. This instance just involves moving each letter forward one position in the conventional English alphabet: A becomes B, B becomes C, and the phrase “I prefer cats to dogs” becomes the string of gibberish above. The idea is the same, but the encryption utilised by ransomware gangs is far more complicated. Researchers can develop a method to decode the files by figuring out the encryption pattern, commonly referred to as the “key.”
Certain encryption techniques, such as the 128-, 192-, or 256-bit Advanced Encryption Standard, are essentially unbreakable. At the highest level, data that is separated into sections known as “blocks” and is not encrypted is sent through 14 stages of alteration before being output in an encrypted form known as “ciphertext.” The vice president of threat intelligence at Trend Micro, a provider of security software, Jon Clay, stated, “We don’t have the quantum computing technology that can break encryption technology yet.” Fortunately for victims, hackers don’t always encrypt files using powerful techniques like AES.
Even while certain cryptographic algorithms are practically impenetrable, mastering them is a challenging science, and novice hackers will probably make blunders. The researchers can then hunt for mistakes if the hackers choose to create their own instead of using a common method like AES. Why would they act in this manner? mostly ego. According to Jornt van der Wiel, a cybersecurity expert at Kaspersky, “they want to do something themselves because they like it or they think it’s better for speed purposes.”
Take Kaspersky’s decryption of the Yanluowang ransomware strain, for instance. It was a strain with a documented list of victims that was specifically targeted at certain companies. Yanluowang encrypts data using the Sosemanuk stream cypher, which is a free programme that encrypts the plaintext file one character at a time. Next, it used the RSA algorithm, a different kind of encryption standard, to encrypt the key. However, there was a mistake in the design. As previously said, the researchers were able to reverse engineer a decryption tool that is currently freely available by comparing the plaintext to the encrypted version. The No More Ransom project has actually already broken a tonne of them.
According to Kroustek, those skilled in software engineering and cryptography would be able to extract the ransomware key and utilise it to build a decryption tool. More complex cryptographic procedures could call either guesswork based on the information at hand or brute forcing. Hackers occasionally generate the key using a pseudo-random number generator. It goes without saying that a true RNG will be random, but it also won’t be easily predictable. According to van der Wiel, a pseudo-RNG may depend on an established pattern to appear random when it isn’t; the pattern may be determined by the time it was formed, for instance. Researchers can experiment with different time values till they figure out the key if they know part of that.
However, obtaining that key frequently requires collaborating with law enforcement to learn more about the operational procedures of the hacker gangs. Researchers can ask the local authorities to seize servers and obtain a memory dump of their data if they are able to obtain the hacker’s IP address. Alternatively, according to van der Wiel, police may utilise traffic analyzers like NetFlow to find out where the data goes and obtain the information from there if hackers have hidden their location using a proxy server. This is made possible across international borders by the Budapest Convention on Cybercrime, which permits law enforcement to immediately request a picture of a server located in another nation while they wait for the official request to be processed.
The server offers details on the hacker’s activity, such as potential targets and the steps they take to demand a ransom. This can provide ransomware decryptors with information on the steps taken by the hackers to encrypt the data, the encryption key, or access to files that will enable them to reverse engineer the process. The researchers hunt for hints or details about malevolent tendencies that can assist suss out genuine intents as they go through the server logs, much like you might help your friend find out facts about their Tinder date to make sure they’re legit. For example, researchers might identify a portion of the encrypted file to compare to the plaintext file in order to start the process of deciphering the key, or they might find a portion of the pseudo-RNG that can start to explain the encryption pattern.
Cisco Talos developed a decryption solution for the Babuk Tortilla ransomware in collaboration with law enforcement. This ransomware variant encrypted victims’ machines and erased important backups, focusing on the manufacturing, healthcare, and national infrastructure sectors. Although Avast had already developed a general Babuk decryptor, it was challenging to break the Tortilla strain. Together, the Dutch Police and Cisco Talos managed to capture the individual responsible for the strain and obtained access to the Tortilla decryptor.
Nevertheless, the ransomware groups themselves frequently provide the simplest means of developing these decryption tools. Attackers will occasionally make their encryption key publicly available. This could be because they are retiring or are just feeling giving. After then, security professionals can utilise the key to create a decryption tool that will be made available to victims moving forward.
Experts typically can’t divulge too much information about the procedure without giving ransomware gangs an advantage. If they reveal typical blunders, hackers might readily utilise that information to enhance their subsequent ransomware endeavours. Researchers can alert gangs to their presence if they reveal the encrypted files they are currently working on. However, being proactive is the greatest way to avoid having to pay. “You have a much higher chance of not having to pay if you’ve done a good job of backing up your data,” Clay added.
