
Ransomware is one of the largest problems we have in the Cyber Security world today. But what exactly is Ransomware, how does it work, and why are there so many companies and government agencies paying hundreds of thousands of dollars to recover their data? In this post, I want to go over exactly what Ransomware is, how it works, why decrypting the data is possible in some cases but not possible in others, and how you can protect your data from this threat.
What is Ransomware?
Ransomware is a piece of malware that targets your most important files on your workstation, usually pictures, excel documents, power point presentations, PDFs, etc. It takes those files and encrypts them using the same encryption algorithms we use every day to keep our data safe. The exception here is instead of keeping the data safe, the malicious actors encrypt the data and then force you to pay money, usually in the form of Bitcoin to unlock it. In some cases, paying the ransom does exactly what the malicious files indicate and provides you with the decryption key needed to recover your data. In other cases, the criminals simply don't care if you get your data back and ignore the decryption step. In other cases, the server that was providing the decryption key has been blacklisted by ISPs or blocked by law enforcement which prevents it from sending back the private key needed to decrypt the data. In any case, being infected with Ransomware is a major problem and the resolution of the issue has few good options.
Why is some Ransomware able to be decrypted while others are not
This is an all too common question. Why are there decryption tools for some ransomware strains but not others? This has to do with several factors. The largest factor that determines if a decryption tool exists is the code itself. Let's take a couple of examples to illustrate this concept.
- Jigsaw Ransomware

A good example of some garbage Ransomware code is the Jigsaw Ransomware strain that was popular around 2016 and 2017. This Ransomware would encrypt your files under the guise of Firefox and for added .fun, it would threaten to randomly delete files every hour you didn't pay the ransom. After 72 hours, the Ransomware would delete everything left if the ransom was still unpaid. But fortunately for those that were infected with Jigsaw, the developers took the lazy way out and simply buried the decryption key into the configuration file of the malware. Once decompiled, the .Net based Ransomware gives up the goods rather easily:

The line of code labeled "EncryptionPassword" contains the Symmetric Encryption key needed to decrypt the files. It is just buried in the code here in the Config directory. As you might expect, the minute researchers see something like this with a piece of malware, there are decryptors for this strain of Ransomware available on the web which makes recovering your data from this variant easy. Unfortunately, most modern malware is not so forgiving.
- Wannacry Ransomware

An example of a very well coded piece of Ransomware would go to the Wannacry or Wana Decrypt0r Ransomware strain from 2017. This particular strain of malware did several things that we had not seen previously. First, it leverages both Asymmetric and Symmetric Cryptography to ensure the files were encrypted in such a way that would make it very difficult to break and that would require a unique key for each victim. Furthermore, this strain of malware attempted to spread as a worm using the very dangerous Eternal Blue bug from Microsoft, which would mean if one machine were to be infected it could spread through the entire network that machine resides assuming the other machines are vulnerable to it. This is how it caused so much havoc as all it took was one person to get it and it could theoretically spread to an entire network of endpoints whose users don't need to actually take any action to be a victim.
To articulate how the hybrid encryption works, I want to provide a bit of context on Symmetric and Asymmetric Cryptography and why the system that Wannacry employs is so elegant and effective.

To understand this a bit better, let me briefly explain Symmetric and Asymmetric Cryptography. Symmetric Cryptography uses the same key to encrypt and decrypt. A good example that most folks use daily is the key to your home. You use your house key to lock and unlock your front door. Another good example that we use digitally on a regular basis is your Wifi password. The most common algorithm that is used for this process is the Advanced Encryption Standard or AES. This has been the standard now for nearly 20 years.
Asymmetric Cryptography works in a different manner. In Asymmetric Cryptography, we have two separate keys, one public and one private. When you encrypt something with one, it requires the other to decrypt. This is used in several ways to protect the way we use the modern internet. The most commonly used algorithm used for Asymmetric Cryptography is the RSA Algorithm which has been around for over 40 years.
The way that Wannacry uses cryptography is as follows. Once executed, the Ransomware creates a pair of unique RSA Asymmetric Cryptographic keys. It then uses Windows own Symmetric Key generation library to encrypt each file with a unique key using AES. It then encrypts each of the AES Symmetric Keys with the Private Asymmetric Key it created. Finally, it encrypts the Originally generated RSA Private key with a preloaded public Asymmetric key that the malware has hard coded. This ensures each infection has a unique solution and prevents decryption unless the command and control server where the Wannacry Private keys are stored are located. Other than some timely network monitoring or super fortunate memory exploit, there is no reliable means to discover the Private key needed to unlock this chain of encryption.
Why are so many companies paying ransoms?
To understand why this occurs, we first have to understand the disaster recovery steps needed to resolve a Ransomware infection. First and foremost, we have to be certain the malware is off of the network entirely. Many newer Ransomware strains lay dormant, doing recon and until you can ensure with 100% certainty that the ransomware is gone, you cannot perform step two. This can be daunting and sometimes not entirely possible.
Step two is usually to recover the files encrypted using backups. There are a few conditions with this as well. First and most importantly, the company or individual victimized must have good, reliable backups to pull from. These backups also need isolated or protected in such a way that they are not subject to the Ransomware encryption as well. In many cases, particularly with end users, they do not have any backup solution to fall back on. This is also true of businesses as many businesses rarely check to see if the backups they are doing regularly can indeed be used to recover data. If the backups are not working properly or cannot be used to restore, they are useless in this endeavor.
We also see in some cases bad network architecture where the backups are on the same network as the rest of the end user servers and workstations thus also being a victim of the ransomware.
But the largest factor for large corporations or entities paying the ransom to recover the files is usually something we call MTTR or Mean Time to Recovery. This is an industry term that estimates the duration of time it will take to restore systems in the event of a disaster such as a Ransomware infection. For mission critical entities such as a hospital, it is often worth the risk and the time savings to simply pay the ransom rather than go through their own disaster recovery plan because of the time it takes to restore their systems otherwise. This is why government agencies and hospitals are high ticket targets for Ransomware as even if the entities have the capacity to restore from backups, they often cannot due to the time it takes to do so.
How to protect yourself from Ransomware
For the end user, the most important and vital step you can take is to have good, functional backup software on data you deem critical. If you take nothing else from this blog post, go invest in a backup software solution. It could save your family photos or even maybe your job if something work related gets attacked. The second major component is to be smart with your email attachments and links. Often the most common way to get infected is to click an email attachment or a link within an email. We recommend never clicking any links in any emails ever as it is generally not worth the risk. With attachments, it is best to verify the source and only open that source if you are absolutely certain its something from a source you know and is a document you expect. Even then, this is a risk so take that into consideration.
What are you biggest fears regarding ransomware or do you have another threat you are more afraid of for yourself or your business? List them below in the comments!
Comentários