Modern ransomware that affected several countries in 2017 such as WannaCry, Petya, NotPetya and Locky, uses a hybrid encryption scheme, with a combination of AES and RSA encryption to secure their malware against the researchers getting encrypted files back.
What’s necessary from the ransomware point of view get its job done properly and securely ? starting from the premise that the ransomware wants to encrypt and decrypt the files.
Let’s start from the basics of cryptography and see what’s wrong with each type of implementation, incrementing methods of encryption to a secure ransomware.
Only symmetric encryption ransomware
Symmetric encryption algorithms such as AES can be used to encrypt the files with large speed rate. On this approach the ransomware will only use this encryption mechanism. It’ll encrypt all the user files with the AES algorithm and store on disk the keys used to encrypt each file. So when the infected pays the ransom, the decryptor will open this file with the keys and start decrypting the files. This naive approach will permit the researchers to find this file, and since it’s not encrypted, make some tool to decrypt the files using the keys.
Client asymmetric encryption
With this approach, the ransomware will generate RSA key pair, encrypt all files with the public key and send the private key to the server to be stored. This method of encryption is quite slow, RSA encryption will take longe time with large files, and also, the ransomware need to send the private key to a server, in this scenario the infected computer has be connected to internet and the server has to be online as well. If any of the two parties isn’t connected, there’s a problem. Either the ransomware needs to stop its execution or it’ll encrypt every file with the public key and deletes the private key without possibility of decryption, or has to store the private key temporarily on disk for later decryption. This is not a good solution.
Server Asymmetric encryption
On this scheme, the server will generate a key pair, the public key will be hardcoded on the ransomware and for each file, it’ll encrypt the file with the server public key, and only with the server’s private key, it’ll be able to recover the files, right? Yeah, but there’s a logical problem, will the server send to the client the private key and decrypt the files? With this approach, the researchers can get the private key and spread with all infected ones, so, with one person paying the ransom, every infection gets its files decrypted. Other way to decrypt is to the infected computer send all encrypted files to the server to decrypt, being slow and not viable sending large encrypted files over internet. Either way, its impractical.
Server and Client asymmetric encryption + symmetric encryption
This scheme is used by most ransomware nowadays, it’s hybrid, because uses both symmetric and asymmetric encryption, and no need of internet connection on encryption, only in decryption.
With this scheme, both ransomware and server will generate their RSA key pair. We’ll call the Client keys as: Cpub.key for Client public key and Cpriv.key for Client public key, Spub.key for Server public key and Spriv.key for Server private key. Here’s how it’s going to work:
For each infection, the ransomware will generate Cpub.key and Cpriv.key on the fly, also the ransomware will have the Spub.key hardcoded. It’ll encrypt the Cpriv.key with the Spub.key. The file encryption routine will start, files will get encrypted with AES, when finished, all AES keys will be encrypted with Cpub.key.
The Python code below demonstrates the encryption routine.
To the victim get his files back, AES keys are necessary. Unfortunately they’re encrypted with the Cpub.key, in order to decrypt the AES keys, the Cpriv.key is necessary, unfortunately again, the Cpriv.key is encrypted with Spub.key. In order to decrypt the Cpriv.key, the decryptor needs the Spriv.key, and the server is the only who posses this key.
The Python snippet code below demonstrate the decryption routine:
Security flaws encountered in ransomwares
The WannaCry ransomware even using the encryption scheme above, researches were able to get the prime numbers used to generate the RSA key-pair, the memory wasn’t desallocated properly and if the infected computer didn’t shutdown it could be possibly recovered, and get the client private key back. Take a look at Symantec analysis to wannacry.
The Bad Rabbit ransomware researchers found that the decryption key wasn’t wiped from memory and didn’t delete shadow copies, allowing victims to restore the files through windows backup functionality. https://securityaffairs.co/wordpress/64863/malware/bad-rabbit-ransomware-decryption.html
The Harasom ransomware is an example that “hides” the same key it uses to encrypt every file on every system in the ransomware executable itself, being easy for researchers to find it out . https://blog.emsisoft.com/en/27649/ransomware-encryption-methods/
To implement a secure ransomware that encrypts files, and decrypts it back, is necessary to free the memory after using the encryption keys. The AES keys and Cpriv.key shouldn’t be written to disk, even if they’re going to be encrypted later on the ransomware execution or be sent to server in plain-text. The original files should be shreded (overwritten with random bytes) and then deleted so no recovery software get original files back. The ransomware must communicate to its server by TOR network, and the ransom must be paid with cryptocurrencies, preventing attackers being traced back.
Python Ransomware implementation:
I’ve implemented POC ransomware in Python. Its features are:
- encrypt all user files with AES-256-CBC.
- Random AES key and IV for each file.
- encrypt AES keys with Cpub.key RSA-2048.
- encrypt Cpriv.key with RSA-2048 Spub.key.
- Works without internet.
- Communicate with the server to get Spriv.key.
- Change computer wallpaper.
- A Python webserver
A Linux Ransomware. Contribute to tarcisio-marinho/GonnaCry development by creating an account on GitHub.