Encrypted messages and ciphers have been around for quite some time now. Ever since the development of the first ciphering machine – the Enigma, cryptography has been gaining popularity. In fact, it has become so popular, that the most widespread cryptocurrency – BitCoin uses encryption to be secure, and it’s price has skyrocketed.
However, with the development of cryptography, there is always space to mention the ones which can be referred to as the “wrong hands” in the saying “fallen into the wrong hands” – the malware writers and cyber-criminals. They manipulate the very same cyphers used by the government to guard secrets – cyphers, part of the Suite.B category:
- SHA(Secure Hash Algorithm).
- AES(Advanced Encryption Standard).
- ECDH(Elliptic Curve Diffie–Hellman).
But without understanding how malware writers use the powerful cipher and how does the cipher exactly work, these are just abbreviations. This is why first we are going to explain what encryption actually is. By theory encryption is:
“The process of encoding information so that only parties with access can read it.”Source:it.ucsf.edu
The actual process of encoding is replacing the characters with other characters. When we meet a set of such characters and a particular methodology in how they are replaced, we meet an encoding cipher. In file encryption, the same principle is applied, with the difference that the regular code of the file is replaced with a different characters. The difference in characters being replaced is essentially a difference in the algorithm being used and its strength. For example, if the algorithm is 256 bit in strength instead of 128 bit, this means that more advanced character formation has been used, meaning its even more difficult for decryption.
Now that we have understood(hopefully) how it works it is time to pay attention to the types of encryption that exist. Officially there are two types recognized:
- Symmetric(Private) key encryption – a scheme where the keys are the same for the Sender as well as the Recipient. It is primarily used for communicating securely and is now applied in most chat platforms you see, for example, Viber, Skype, etc.
- Public key encryption – this type of encryption includes a public key available for massive access by anyone. The only condition is that the user must know what the decryption key is.
If these are the two primary types of encryption, advanced ransomware viruses, such as Locky, TeslaCrypt, Cerber, CryptXXX and others may employ it in a quite different way to extort users like you for their files. Unlike a year ago where most ransom malware used only one algorithm (usually RSA) to encrypt the files, now we see a tendency where ransomware has gotten smarter. Cyber-criminals not only employ defenses, such as self-deletion and obfuscation to prevent white hat researchers into investigating the malicious samples for code flaws.
They have also used a combination of algorithms to encrypt the files. At first, the file may be encrypted with using a symmetric encryption process, making it unable to be opened. As a second layer of defense, the size of the file may be changed by adding a second algorithm in the header of the already encrypted code. So what we are talking about is an encrypted header which is previously encrypted, as in the figure below: