Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

General question about encryption


  • Please log in to reply
6 replies to this topic

#1 kragster665

kragster665

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 21 November 2016 - 05:29 AM

Hi,

I tried searching for this, but could not find a proper answer.

 

These decryptors work by extracting the encryption key and afterwards using that to decrypt the rest of the files. It requires that you have a file in both the encrypted and unencrypted version and that you know the ransomware kit?

 

I guess the information from knowing what ransomware kit was used is about knowing what cryptographic method was used to encrypt the files..?

 

Can someone explain to me how it is possible to extract the key, just from having these files and knowing the encryption algorithm?

 

Best
Lars



BC AdBot (Login to Remove)

 


#2 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 21 November 2016 - 07:16 AM

Hi Lars.

I guess you mean the free decrypters by demonslay, Fabian Wosar, Kaspersky etc?

How they work depends on how the files have been encrypted. There are several situations:

  1. The ransomware family uses a known set of keys, e.g., the key might be hardcoded within the ransomware or the keys might have been obtained by law enforcement. In that case the decrypter can apply the key directly to decrypt the files.
  2. The encryption algorithm is weak so that bruteforcing the key is possible. That means the decryption tool first finds the right key by testing lots of keys that could have been used. The decrypter will need a reference file to check if a tested key was the right one.
  3. The ransomware family leaves information about the key on the system. The decrypter might be able to either obtain the key directly that way or to obtain information that helps to bruteforce the key.

Best regards

Karsten


Edited by Struppigel, 21 November 2016 - 07:17 AM.


#3 kragster665

kragster665
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 21 November 2016 - 07:38 AM

Hi Lars.

I guess you mean the free decrypters by demonslay, Fabian Wosar, Kaspersky etc?

How they work depends on how the files have been encrypted. There are several situations:

  1. The ransomware family uses a known set of keys, e.g., the key might be hardcoded within the ransomware or the keys might have been obtained by law enforcement. In that case the decrypter can apply the key directly to decrypt the files.
  2. The encryption algorithm is weak so that bruteforcing the key is possible. That means the decryption tool first finds the right key by testing lots of keys that could have been used. The decrypter will need a reference file to check if a tested key was the right one.
  3. The ransomware family leaves information about the key on the system. The decrypter might be able to either obtain the key directly that way or to obtain information that helps to bruteforce the key.

Best regards

Karsten

Hey Karsten,

Thank you for the explanation! I just got hit by Globe2 ransomware and decrypted it all very easily using emisofts decrypter tool. Just wondered how it derived the key, just by comparing an encrypted file to an original one. 

 

Best
Lars



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 AM

Posted 21 November 2016 - 08:12 AM

Specific information about the inner workings of decryptor tools created by our crypto-malware experts and security vendors like Kaspersky is deliberately not provided or discussed in public. The bad guys read these forum topics....why provide the criminals with any info which could help them circumvent the tools.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:54 PM

Posted 21 November 2016 - 03:53 PM

Hey Karsten,
Thank you for the explanation! I just got hit by Globe2 ransomware and decrypted it all very easily using emisofts decrypter tool. Just wondered how it derived the key, just by comparing an encrypted file to an original one. 
 
Best
Lars

If you know what encryption method a ransomware uses, sometimes we can decrypt it. The original file is often used to make sure that the encrypted file decrypted properly.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 kragster665

kragster665
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 22 November 2016 - 05:30 AM

Thanks guys. I appreciate it! I am an IT professional as well, though mostly working with Microsoft infrastructure components.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 AM

Posted 22 November 2016 - 06:48 AM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users