Ransomware is a type of malware that encrypts files on a victim’s computer and demands a ransom payment in order to decrypt the files. The use of ransomware has skyrocketed in recent years, with attacks on businesses and government agencies holding critical data for ransom. But does ransomware actually encrypt files when it infects a system? Or is it all just smoke and mirrors? Let’s take a closer look at how ransomware works.
What is ransomware?
Ransomware is a form of malware that employs encryption to hold a victim’s information at ransom. It operates by encrypting important files on the infected system in a way that restricts users from accessing them. The ransomware displays a message that demands payment to decrypt the files within a short timeframe. If the ransom is not paid in time, the ransomware threatens to delete the encryption key required to restore access to the files.
Ransomware attacks often target computers of individuals, but ransomware campaigns frequently affect companies, government agencies, and other organizations too. By encrypting critical data and systems, ransomware can cause massive disruptions to operations. Many organizations feel compelled to pay the ransom because they have no backup or other means to recover the encrypted data.
How does ransomware infect a system?
Ransomware typically relies on various vectors to infect a victim’s computer system:
– Phishing emails containing infected attachments or links
– Compromised websites that download malware onto visitors’ devices
– Exploits kits that leverage software vulnerabilities
– Brute force attacks on Remote Desktop Protocol connections
– Malvertising through malicious ads and pop-ups
Once executed on a system, the ransomware code rapidly starts encrypting files. It uses encryption algorithms to scramble data and make files inaccessible. The ransomware tracks what files it encrypts and generates encryption keys for each file.
Attackers demand ransom payments in cryptocurrency, like Bitcoin, to take advantage of the anonymity provided by crypto transactions. Upon payment, victims are supposed to receive a decryption key to unlock their files.
Does ransomware use “real” encryption?
Now that we understand what ransomware is and how it works, does it really encrypt files? Or is the encryption a fake front?
Crypto-ransomware versus locker-ransomware
There are two main types of ransomware:
– Crypto-ransomware: This ransomware uses cryptography to encrypt files, restricting access until decryption.
– Locker-ransomware: This type locks users out of their devices or blocks access to files or apps, but does not encrypt files.
The vast majority of ransomware today employs the crypto-ransomware approach. Locker-ransomware isn’t as common anymore since it’s easier for security experts to bypass or reverse.
By utilizing cryptography properly, crypto-ransomware makes it extremely difficult to recover files without paying the ransom. The encryption used is complex enough to prevent feasible decryption by typical users, companies, or government agencies.
How crypto-ransomware encryption works
Crypto-ransomware uses hybrid cryptography that involves both symmetric encryption and asymmetric encryption:
– Symmetric encryption uses a single key to both encrypt and decrypt data. The ransomware generates a unique symmetric key locally on the infected device to encrypt files.
– Asymmetric encryption uses a public-private key pair. The ransomware providers have the private key, while victims receive the public key. The ransomware encrypts the locally generated symmetric encryption key using the provider’s public key before deleting the unencrypted version.
This hybrid approach prevents decryption of files without having the provider’s private key, which is only released upon payment. The locally created symmetric keys enable each file to be encrypted separately.
Here are the technical steps for how the encryption process works:
1. Ransomware generates a new symmetric encryption key locally to encrypt each file.
2. The symmetric encryption keys are used with a cryptographic algorithm like AES-256 or Blowfish to encrypt files.
3. The symmetric keys are then encrypted with the ransomware author’s public key using an asymmetric algorithm like RSA.
4. The encrypted symmetric keys are stored locally on the infected device. The unencrypted symmetric keys are deleted.
5. The ransom note provides the victim with the asymmetric public key so they can encrypt and send future communications.
6. Once the ransom is paid, the attacker sends their private key to decrypt the symmetric keys.
7. Victims use the symmetric keys to decrypt their files and recover access.
This approach utilizes cryptographic methods that would take an unrealistic amount of time for organizations or security researchers to break. The hybrid model also lets attackers efficiently encrypt lots of files separately.
Is the encryption fake?
Based on how crypto-ransomware leverages real cryptography, the encryption used is not fake. The ransomware applies encryption that cannot be circumvented without considerable effort.
Cybersecurity researchers have sometimes found flaws in how certain ransomware variants implement encryption though. Weaknesses like repeating keys for different files allow decryption of some files.
But in general, experts agree that files encrypted by ransomware are virtually irretrievable without the decryption keys. Paying the ransom is the only feasible way for most victims to get their data back.
Examples of ransomware using real encryption
Some prominent examples of ransomware families that use legitimate hybrid cryptography to encrypt victims’ files include:
WannaCry
The WannaCry ransomware outbreak was one of the most devastating cyber events in history. It encrypted over 200,000 computers across 150 countries in May 2017. WannaCry leveraged the EternalBlue exploit targeting a SMBv1 vulnerability to spread. It encrypted files with AES-128 and used RSA-2048 for the asymmetric component.
Ryuk
Active since August 2018, Ryuk ransomware has impacted many large organizations. It has made over $150 million in ransom payments. Ryuk encrypts each file with a separate 256-bit AES key and uses a 2048-bit RSA public key stored in the executable.
Stop/Djvu
Associated with REvil, Stop ransomware (also called Djvu) has been spread via compromised RDP credentials and software vulnerabilities. It abuses Elliptic Curve Cryptography for asymmetric encryption and encrypts files with a randomized AES-256 session key.
Sodinokibi
Also linked to REvil operators, Sodinokibi ransomware emerged in 2019 and uses AES-256 to encrypt files after scanning the system. Public keys are embedded in the executable and encrypted session keys are exported for decryption after payment.
| Ransomware | Symmetric Algorithm | Asymmetric Algorithm |
|---|---|---|
| WannaCry | AES-128 | RSA-2048 |
| Ryuk | AES-256 | RSA-2048 |
| Stop/Djvu | AES-256 | ECC |
This table summarizes some of the encryption algorithms used by real ransomware. As you can see, robust symmetric and asymmetric cryptographic methods are leveraged to encrypt files in a way that prevents decryption without the attacker’s private key.
Mitigating the threat of ransomware
Given that ransomware uses strong encryption algorithms that lock organizations out of their own systems and data, what can be done to prevent and respond to attacks?
Preventing ransomware
The most impactful measure against ransomware is training employees to identify potential phishing emails, malicious links/attachments, and other entry vectors. Since most ransomware gets installed when a user clicks something malicious, good security awareness across staff can stop many attacks.
Other important prevention best practices include:
– Keeping all software up-to-date with the latest security patches
– Using antivirus and anti-malware tools
– Implementing an email security gateway to filter malicious emails
– Regularly backing up critical data offline
– Restricting/monitoring RDP access
– Vulnerability scanning to identify and patch exploitable weaknesses
– Blocking access to known malicious sites
Responding to ransomware
If ransomware evades preventative measures and encrypts systems, organizations should:
– Isolate and turn off infected devices to prevent wider spread
– Determine the strain of ransomware for insights into decryption options
– Check if backups are intact to potentially restore data instead of paying
– Consult cybersecurity professionals for support
– Potentially pay the ransom as a last resort if data is essential
– Learn how entry occurred and strengthen defenses in that vector
Conclusion
To summarize, credible crypto-ransomware threats like WannaCry, Ryuk, and Sodinokibi use true encryption based on proven cryptographic methods. The hybrid approach combines asymmetric encryption to share keys and symmetric encryption to rapidly scramble files using separate keys.
This model effectively holds data for ransom in a way that cannot be decrypted without the attacker’s private key. Paying the ransom is the only way most victims can get their data back. However, a multi-layered cybersecurity strategy focused on prevention, detection, and response can help protect organizations from ransomware outbreaks and mitigate the business impact. Going forward, expect ransomware groups to continue evolving their tactics, tools and procedures to infect systems and pressure more victims into paying.