Ransomware is a type of malware that encrypts files on a victim’s computer and demands a ransom payment in order to decrypt the files and restore access. Over the past decade, ransomware has emerged as a major cyber threat, with new variants continually being developed by cybercriminals looking to extort money from individuals, businesses, hospitals, and government agencies. One of the key aspects of how ransomware works is the encryption algorithm used to scramble files, so understanding the most common encryption types can provide insights into defending against ransomware attacks.
Symmetric Encryption Algorithms
The majority of ransomware variants utilize symmetric encryption algorithms to encrypt files. Symmetric algorithms rely on using the same cryptographic key for both encryption and decryption. Some advantages of symmetric algorithms are that they are very fast computationally and require less code to implement. The downside is that the secret key must be transmitted or known by both communication parties. The most prevalent symmetric algorithms used by ransomware include:
AES
The Advanced Encryption Standard (AES) is the most widely adopted symmetric encryption standard used today. It was selected by the U.S. National Institute of Standards and Technology (NIST) to replace the older Data Encryption Standard (DES) cipher. AES supports key lengths of 128, 192, or 256 bits. The AES algorithm is very fast and secure, while also being relatively easy to implement. As a result, many ransomware families including Locky, Cerber, SamSam and Ryuk rely on AES encryption.
RC4
The RC4 (Rivest Cipher 4) algorithm was designed by Ron Rivest of RSA Security in 1987. It uses variable key-size cipher lengths up to 256 bits. RC4 gained widespread popularity because it is very simple to implement in software. However, cryptanalysis research over the years revealed weaknesses in the RC4 key generation process. It is no longer deemed secure and has been removed from many cryptography standards. That said, some older ransomware variants like TeslaCrypt and TorrentLocker used RC4 due to its ease of implementation before transitioning to more secure alternatives.
Blowfish & Twofish
These symmetric ciphers were also designed by cryptography pioneer Bruce Schneier. Blowfish uses a 64-bit block size and key lengths up to 448 bits. Twofish is a successor algorithm with a 128-bit block size and supports keys up to 256 bits. Both algorithms are considered very secure and lightweight. WannaCry and some early ransomware tools used Blowfish before moving to AES. The only drawbacks of these ciphers are slower performance than AES and lack of hardware acceleration support.
Asymmetric Encryption Algorithms
Asymmetric cryptography relies on using a pair of mathematically-related keys consisting of a public key and a private key. One key is used to perform encryption and the other for decryption. Asymmetric algorithms play a key role in public key encryption and digital signatures. They allow secure communication between parties without having to share secret keys beforehand. Some ransomware strains utilize asymmetric algorithms in their ransomware operation, including:
RSA
RSA is by far the most widely-used asymmetric algorithm named after its inventors (Rivest–Shamir–Adleman). It can support key lengths from 1024 to 4096 bits. RSA relies on the fact that it is very difficult to factor large prime numbers. Some ransomware like CryptXXX and Locky use RSA public-key cryptography to encrypt the secret keys used for symmetric encryption of files. Victims cannot recover their files without obtaining the RSA private key from the attackers.
ECC
Elliptic curve cryptography (ECC) is another public key algorithm based on elliptic curve math. It provides similar security to RSA but with much smaller key sizes. For example, 256-bit ECC keys are equivalent in strength to 3072-bit RSA keys. Smaller keys mean faster processing times. A few ransomware tools use ECC instead of RSA for encrypting their symmetric data encryption keys.
Hybrid Encryption
Since asymmetric ciphers are relatively slow, most ransomware uses a hybrid scheme – asymmetric algorithm to encrypt the symmetric session key and symmetric algorithm to encrypt the actual files. This allows securely passing the secret key used for the fast symmetric file encryption. The symmetric key is encrypted with the public RSA or ECC key so only the malware authors can unlock it with their private key.
This approach combines the security of public key cryptography with the speed and efficiency of symmetric key encryption. The malware needs to embed only the public key within its code. The private keys remain with the ransomware operators to decrypt files for ransom payments. Without access to these private keys, it is infeasible for victims to recover encrypted data.
Ransomware Encryption Keys
In addition to encryption algorithms, the encryption keys used by ransomware also greatly impact security strength. Longer and more random keys make decryption through brute force extremely difficult. Here are some key considerations:
- Symmetric algorithm keys – At minimum 128-bit keys are recommended but 256-bit is better for AES encryption.
- Asymmetric algorithm keys – 2048-bit RSA keys or 256-bit ECC keys are commonly used.
- New unique file encryption key per infection – Prevents decrypting one machine’s files to recover all.
- Secure random key generation – Using a cryptographically secure PRNG.
Properly implemented encryption with sufficiently long keys often makes manual decryption of ransomware nearly impossible without paying criminals to obtain the decryption keys.
Evasion Techniques
Beyond encryption methods, ransomware authors use various techniques to evade detection and analysis:
- Code obfuscation – Masks intent to avoid AV signature detection.
- Polymorphism – Mutates code across infections to change fingerprints.
- Anti-debugging/VM tricks – Detects and terminates analysis environments.
- Onion Routing (Tor) – Anonymizes command and control communications.
In addition, ransomware threat actors frequently improve their malware with new exploits, anti-analysis, and spreading mechanisms. Continually enhancing evasion methods combined with strong encryption has fueled the ransomware epidemic hitting organizations globally.
Prevention and Recovery Recommendations
Defending against ransomware requires a multi-layered approach given the sophisticated nature of these threats. Strategies to reduce the risk and impact of ransomware attacks include:
- Employee security training – Recognize phishing emails and malicious links.
- Software updates – Patch vulnerabilities exploited by malware.
- Least privilege – Limit account access to prevent lateral movement.
- Network segmentation – Isolate and firewall critical systems.
- Strong passwords – Make account hijacking more difficult.
- Email security – Block dangerous files and links.
- Endpoint detection – Stop threats before they can execute.
- Backups – Maintain copies of sensitive data offline.
- Incident response plan – Have an action plan ready for attacks.
Even with strong defenses, some ransomware may still slip through. Having reliable offline backups makes recovering encrypted files possible without paying the criminals. Backups combined with the above countermeasures can bolster resilience against ransomware campaigns targeting businesses today.
Conclusion
In summary, modern ransomware predominantly uses AES and RSA encryption to seize files and demand ransoms for decryption keys. Symmetric algorithms like AES efficiently encrypt files while asymmetric schemes such as RSA securely encrypt data encryption keys. Properly implemented cryptographic ransomware is virtually impossible to break without obtaining the attackers’ private keys. Defending networks through backups, IT security best practices, user education, and comprehensive defenses provides the best safeguards against ransomware outbreaks.