Home > HOW TO GUIDES > Ransomware Encryption Explained – Why Is It So Effective?

Ransomware Encryption Explained – Why Is It So Effective?

locked-encrypted-sensorstechforumEncrypted messages and ciphers have been around for quite some time now. Ever since the development of the first ciphering machine – the Enigma, cryptography has been gaining popularity. In fact, it has become so popular, that the most widespread cryptocurrency – BitCoin uses encryption to be secure, and it’s price has skyrocketed.

However, with the development of cryptography, there is always space to mention the ones which can be referred to as the “wrong hands” in the saying “fallen into the wrong hands” – the malware writers and cyber-criminals. They manipulate the very same cyphers used by the government to guard secrets – cyphers, part of the Suite.B category:

  • RSA(Rivest-Shamir-Adleman).
  • SHA(Secure Hash Algorithm).
  • AES(Advanced Encryption Standard).
  • ECDH(Elliptic Curve Diffie–Hellman).

But without understanding how malware writers use the powerful cipher and how does the cipher exactly work, these are just abbreviations. This is why first we are going to explain what encryption actually is. By theory encryption is:

“The process of encoding information so that only parties with access can read it.”Source:it.ucsf.edu

The actual process of encoding is replacing the characters with other characters. When we meet a set of such characters and a particular methodology in how they are replaced, we meet an encoding cipher. In file encryption, the same principle is applied, with the difference that the regular code of the file is replaced with a different characters. The difference in characters being replaced is essentially a difference in the algorithm being used and its strength. For example, if the algorithm is 256 bit in strength instead of 128 bit, this means that more advanced character formation has been used, meaning its even more difficult for decryption.

Now that we have understood(hopefully) how it works it is time to pay attention to the types of encryption that exist. Officially there are two types recognized:

  • Symmetric(Private) key encryption – a scheme where the keys are the same for the Sender as well as the Recipient. It is primarily used for communicating securely and is now applied in most chat platforms you see, for example, Viber, Skype, etc.
  • Public key encryption – this type of encryption includes a public key available for massive access by anyone. The only condition is that the user must know what the decryption key is.

If these are the two primary types of encryption, advanced ransomware viruses, such as Locky, TeslaCrypt, Cerber, CryptXXX and others may employ it in a quite different way to extort users like you for their files. Unlike a year ago where most ransom malware used only one algorithm (usually RSA) to encrypt the files, now we see a tendency where ransomware has gotten smarter. Cyber-criminals not only employ defenses, such as self-deletion and obfuscation to prevent white hat researchers into investigating the malicious samples for code flaws.

They have also used a combination of algorithms to encrypt the files. At first, the file may be encrypted with using a symmetric encryption process, making it unable to be opened. As a second layer of defense, the size of the file may be changed by adding a second algorithm in the header of the already encrypted code. So what we are talking about is an encrypted header which is previously encrypted, as in the figure below:

EFSOperation.svgSource: wikipedia.com


File encryption used by ransomware viruses has advanced and is continuing to develop at a rapid rate. This is due to several factors, such as the one of the user. There are users who consider the data which is encoded important for them and they pay the ransom. This makes the cyber-criminals even more powerful and allows them to invest in bigger spam campaigns, spreading their malware even further. This, plus the more sophisticated ransomware viruses being publicly available for sale on deep web forums Is a perfect recipe for widespread ransomware infections of all types. What is worse is that RaaS (Ransomware as a service) is becoming quite widespread now, meaning that even individuals without much technical experience in the sphere can make money of unsuspecting users. We as a part of a security community strongly advise users not to pay any ransom money and look for alternatives and also educate themselves on how to protect their data in the future because suffocating this widespread problem massively may just turn out to be the only viable way to stop it.

Ventsislav Krastev

Ventsislav Krastev

Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share