Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Ransomware Encryption Explained – Why Is It So Effective?

locked-encrypted-sensorstechforumEncrypted messages and ciphers have been around for quite some time now. Ever since the development of the first ciphering machine – the Enigma, cryptography has been gaining popularity. In fact, it has become so popular, that the most widespread cryptocurrency – BitCoin uses encryption to be secure, and it’s price has skyrocketed.

However, with the development of cryptography, there is always space to mention the ones which can be referred to as the “wrong hands” in the saying “fallen into the wrong hands” – the malware writers and cyber-criminals. They manipulate the very same cyphers used by the government to guard secrets – cyphers, part of the Suite.B category:

  • RSA(Rivest-Shamir-Adleman).
  • SHA(Secure Hash Algorithm).
  • AES(Advanced Encryption Standard).
  • ECDH(Elliptic Curve Diffie–Hellman).

But without understanding how malware writers use the powerful cipher and how does the cipher exactly work, these are just abbreviations. This is why first we are going to explain what encryption actually is. By theory encryption is:

“The process of encoding information so that only parties with access can read it.”Source:it.ucsf.edu

The actual process of encoding is replacing the characters with other characters. When we meet a set of such characters and a particular methodology in how they are replaced, we meet an encoding cipher. In file encryption, the same principle is applied, with the difference that the regular code of the file is replaced with a different characters. The difference in characters being replaced is essentially a difference in the algorithm being used and its strength. For example, if the algorithm is 256 bit in strength instead of 128 bit, this means that more advanced character formation has been used, meaning its even more difficult for decryption.

Now that we have understood(hopefully) how it works it is time to pay attention to the types of encryption that exist. Officially there are two types recognized:

  • Symmetric(Private) key encryption – a scheme where the keys are the same for the Sender as well as the Recipient. It is primarily used for communicating securely and is now applied in most chat platforms you see, for example, Viber, Skype, etc.
  • Public key encryption – this type of encryption includes a public key available for massive access by anyone. The only condition is that the user must know what the decryption key is.

If these are the two primary types of encryption, advanced ransomware viruses, such as Locky, TeslaCrypt, Cerber, CryptXXX and others may employ it in a quite different way to extort users like you for their files. Unlike a year ago where most ransom malware used only one algorithm (usually RSA) to encrypt the files, now we see a tendency where ransomware has gotten smarter. Cyber-criminals not only employ defenses, such as self-deletion and obfuscation to prevent white hat researchers into investigating the malicious samples for code flaws.

They have also used a combination of algorithms to encrypt the files. At first, the file may be encrypted with using a symmetric encryption process, making it unable to be opened. As a second layer of defense, the size of the file may be changed by adding a second algorithm in the header of the already encrypted code. So what we are talking about is an encrypted header which is previously encrypted, as in the figure below:

EFSOperation.svgSource: wikipedia.com

Conclusion

File encryption used by ransomware viruses has advanced and is continuing to develop at a rapid rate. This is due to several factors, such as the one of the user. There are users who consider the data which is encoded important for them and they pay the ransom. This makes the cyber-criminals even more powerful and allows them to invest in bigger spam campaigns, spreading their malware even further. This, plus the more sophisticated ransomware viruses being publicly available for sale on deep web forums Is a perfect recipe for widespread ransomware infections of all types. What is worse is that RaaS (Ransomware as a service) is becoming quite widespread now, meaning that even individuals without much technical experience in the sphere can make money of unsuspecting users. We as a part of a security community strongly advise users not to pay any ransom money and look for alternatives and also educate themselves on how to protect their data in the future because suffocating this widespread problem massively may just turn out to be the only viable way to stop it.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.