Hackers use ransomware to attack all industries and return access to the victim’s files. It is a lucrative business. In the first six months of 2023, ransomware gangs, although most govt. Increasingly, security professionals are joining law enforcement to provide free decryption tools, freeing up locked files and removing victims’ temptation to pay.
There are a couple of main ways ransomware decryptors create tools: reverse engineering to detect errors, working with authorities, and collecting publicly available encryption keys. The length of the process varies depending on the complexity of the code, but typically requires information about the encrypted files, unencrypted versions of the files, and server information from the hacking group. “Simply having the output file encrypted is usually useless. You need the sample itself, the executable file,” said Jakub Kroustek, director of malware research at antivirus company Avast. It’s not easy, but when it works, it pays dividends for the affected victims.
First, we need to understand how encryption works. For a very basic example, let’s say a piece of data might have started out as a recognizable sentence, but appears as “J qsfgfs dbut up epht” once encrypted. If we know that one of the unencrypted words in “J qsfgfs dbut up epht” is supposed to be “cats”, we can begin to determine what pattern was applied to the original text to obtain the encrypted result. In this case, it’s just the standard English alphabet with each letter moved up one place: A becomes B, B becomes C, and “I prefer cats to dogs” becomes the string of nonsense above. It is much more complex for the types of encryption used by ransomware gangs, but the principle remains the same. The encryption pattern is also known as a “key” and by deducing the key, researchers can create a tool that can decrypt the files.
Some forms of encryption, such as the 128-, 192-, or 256-bit Advanced Key Encryption Standard, are virtually unbreakable. At its most advanced level, unencrypted “plaintext” data bits, broken into fragments called “blocks,” undergo 14 rounds of transformation and are then generated into their encrypted form (or “ciphertext”). “We don’t yet have quantum computing technology that can break encryption technology,” said Jon Clay, vice president of threat intelligence at security software company Trend Micro. But fortunately for victims, hackers don’t always use powerful methods like AES to encrypt files.
While some cryptographic schemes are virtually impossible to crack, inexperienced hackers are likely to make mistakes. If hackers don’t apply a standard scheme, such as AES, and opt to create their own, researchers can look for bugs. Why would they do this? Mainly ego. “They want to do something themselves because they like it or think it’s better for speed reasons,” said Jornt van der Wiel, a cybersecurity researcher at Kaspersky.
For example, this is how Kaspersky cracked the ransomware strain. It was a strain targeting specific companies, with an unknown list of victims. Yanluowang used Sosemanuk stream cipher to encrypt data: a free-to-use process that encrypts the plaintext file one digit at a time. He then encrypted the key using an RSA algorithm, another type of encryption standard. But there was an error in the pattern. The researchers were able to compare the plain text with the encrypted version, as explained above, and reverse engineer a decryption tool. In fact, there are tons that have it.
Ransomware decryptors will use their knowledge of software engineering and cryptography to obtain the ransomware key and from there create a decryption tool, according to Kroustek. More advanced cryptographic processes may require brute force or making guesses based on available information. Sometimes hackers use a pseudo-random number generator to create the key. A true RNG will be random, sure, but that means it won’t be easy to predict. A pseudo-RNG, as van der Wiel explains, can rely on an existing pattern to appear random when in fact it is not; the pattern could be based on the time it was created, for example. If researchers know part of that, they can try different time values until they deduce the key.
But getting that key often depends on working with authorities to learn more about how hacking groups operate. If investigators can obtain the hacker’s IP address, they can ask local police to seize the servers and obtain a crash dump of their contents. Or, if hackers have used a proxy server to hide their location, police could use traffic analyzers like NetFlow to determine where the traffic is going and get the information from there, according to van der Wiel. This is possible across international borders because it allows police to urgently request an image from a server in another country while they wait for the official request to be processed.
The server provides information about the hacker’s activities, such as who they might target or their process for demanding a ransom. This can tell ransomware decryptors the process the hackers went through to encrypt the data, details about the encryption key or file access that can help them reverse engineer the process. Investigators review server logs for details in the same way you can help your friend dig up details about your Tinder date to make sure they’re legitimate, looking for clues or details about malicious patterns that can help uncover their true intentions. Researchers may, for example, discover part of the plaintext file to compare with the encrypted file and begin the process of reverse engineering the key, or perhaps find parts of the pseudo-RNG that can begin to explain the encryption pattern.
Working with creating a decryption tool for Babuk Tortilla ransomware. This version of ransomware targeted national, manufacturing, and healthcare infrastructure, encrypting victims’ devices and deleting valuable backups. Avast had already created a generic Babuk decryptor, but the Tortilla variety proved difficult to crack. Dutch police and Cisco Talos worked together to arrest the person behind the strain and in the process gained access to the Tortilla decryptor.
But often the easiest way to create these decryption tools comes from the ransomware gangs themselves. Maybe they are retreating or just feeling generous, but sometimes attackers will. Security experts can then use the key to create a decryption tool and release it for victims to use in the future.
Generally, experts can’t share much about the process without giving ransomware gangs an advantage. By disclosing common errors, hackers can use them to easily improve their next ransomware attempts. If researchers tell us what encrypted files they’re working on now, the gangs will know they’re after them. But the best way to avoid paying is to be proactive. “If you’ve done a good job of backing up your data, you have a much better chance of not having to pay,” Clay said.