Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Common Ransomware Encryption Techniques

Ransomware Encryption Algorithms

Encryption plays a ubiquitous role in data protection. Although frequently used in conjunction with techniques such as hashing and obfuscation, which help to make the data unreadable, encryption secures data through cryptography that requires a key to reverse the process. Ransomware uses encryption to hold data hostage until the victim pays a ransom – typically demanded in Bitcoin via a hidden Tor server. However, not all ransomware is unencryptable. With some older ransomware strains, the decryption keys are embedded in the source code, which can be extracted and used to unlock the files. Newer strains of ransomware, however, use the latest encryption techniques to evade detection and make it impossible to decrypt without the key, which in turn has lead to exorbitant ransoms.

What Happens During Ransomware Encryption?

Encryption is a vital security feature of operating systems. In theory, ransomware could exploit your operating system’s native encryption functionality, using a private key only known by the attackers to encrypt files. However, various existing tools have the capability to reverse this process. Modern ransomware, like WannaCry, use hybrid techniques that merge symmetric and asymmetric encryption. Symmetric ciphers, such as AES, rapidly encrypt files without needing an internet connection, but the public key of a command and control server concealed on the dark web is embedded in the ransomware’s executable. This public key encrypts the symmetric keys using the RSA algorithm, generating new RSA key-pairs each time a machine becomes infected. Despite its efficiency, researchers have been able to locate the prime numbers used to generate the RSA key-pair in the memory of some infected computers that were not powered down.

What is Intermittent Encryption?

Some strains of ransomware, such as Lockfile, use a technique that involves encrypting every 16 bytes of a file to avoid detection from ransomware protection solutions. This encryption method does not rely heavily on input/output (I/O) disk operations and does not engage with a command and control server, making detection difficult. This allows for the encryption of files without internet access. While this encryption approach results in only partially readable text documents, hackers are not concerned as their goal is to evade the static analysis typically used by ransomware protection software.

Common Ransomware Encryption Techniques

Ransomware uses a variety of common techniques for both encryption and decryption, which are explained below.

1. Symmetric encryption

Some older strains of ransomware use only AES encryption, which is a type of symmetric encryption algorithm that can quickly encrypt large files. Once the ransom is paid, the decryptor uses the keys on stored on disk to decrypt the files. However, this simplistic approach allows researchers to easily identify the unencrypted keys used to encrypt files, creating an opportunity to develop a tool to decrypt them.

2. Client asymmetric encryption

Using this approach, the ransomware will create a pair of RSA keys, encrypt all files using the public key, and transmit the private key to a server for safekeeping. However, this type of encryption is slow and may take a long time to encrypt larger files. Additionally, the infected computer must be connected to the internet and the server must be online for the private key to be securely stored. If either party is not connected, it may either cease operation or encrypt all files using the public key, making decryption impossible. Alternatively, it may temporarily store the private key on disk, which is not a desirable solution.

3. Server asymmetric encryption

With this technique, the server generates a key pair, with the public key hardcoded into the ransomware program. Each file is encrypted with the server’s public key, and only the server’s private key can decrypt them. However, this approach may enable researchers to obtain the private key and spread it to all affected individuals. Consequently, if one person pays the ransom, all victims can theoretically recover their files.

4. Server and client asymmetric encryption + symmetric encryption

Hybrid encryption, which uses both symmetric and asymmetric encryption, is used by most modern ransomware strains. The ransomware program and server generate their own RSA key pairs, with the client keys labeled Cpub.key and Cpriv.key, and server keys labeled Spub.key and Spriv.key. The ransomware generates Cpub.key and Cpriv.key during each infection and encrypts Cpriv.key with Spub.key. AES is used to encrypt files, with all AES keys encrypted with Cpub.key. This method does not require an internet connection during encryption, only during decryption.

Ransomware attacks are becoming more frequent and sophisticated, and the impact on a business can be catastrophic. Companies need to take proactive measures to protect themselves against ransomware by implementing comprehensive security protocols and educating employees on cyber security best practices. They will also need to implement multiple security solutions that include firewalls, antivirus and anti-malware software, and real-time threat detection solutions. Companies should regularly back up their data and keep copies offline in secure locations to ensure that they can quickly recover from an attack. Additionally, it is important to conduct regular vulnerability assessments and penetration testing to identify and mitigate potential security risks. By taking these steps, companies can reduce the risk of ransomware attacks and ensure that they can continue to operate even in the event of an attack.

If you’d like to see how the Lepide Data Security Platform can help you detect and respond to ransomware attacks, schedule a demo with one of our engineers.