3

I'm doing some research and wondered since ransomware allows a user a decryption key- how that would be possible if it is not on a network?

12/23 Edit: After learning how ransomware works I'm now considering prevention methods.

Is it possible to have an air-gapped network? If so, can you explain how non-physical attacks could still get through?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jordan
  • 39
  • 3
  • 2
    How did the ransomware get on the computer in the first place, in your scenario? – schroeder Dec 19 '16 at 21:32
  • @schroeder: how about USB drive like in Stuxnet? – Steffen Ullrich Dec 20 '16 at 03:56
  • @SteffenUllrich sure, but what does the OP mean? – schroeder Dec 20 '16 at 07:20
  • 1
    @schroeder: good question. I think the question as it is now is open to multiple interpretations. But, since the title asks if ransomware works (i.e. does its encryption) on an air-gapped system and not if ransomware can infect such a system my interpretation is that it somehow got there. – Steffen Ullrich Dec 20 '16 at 07:59
  • non-physical as in anything **besides** USB, Social Engineering, etc – Jordan Dec 23 '16 at 17:29
  • I'm still trying to understand. You want to know how a network attack could reach a network that is not connected to the attacker's network? – schroeder Dec 23 '16 at 17:31
  • Pretty much. I am thinking of a scenario where the IT staff at a company would be completely at ease because the network would be air-gapped. That being, would it be possible to get in if the attackers were not on the same network? – Jordan Dec 23 '16 at 17:35
  • 2
    I think you need to think of the situation in terms of 'vectors of infection'. If you disconnect a computer from a network, then the network is not a vector. The question then becomes, 'what other vectors could there be'? – schroeder Dec 23 '16 at 17:38

2 Answers2

5

I assume you mean with an air-gapped system that it has no network connection but that it is still possible that the system get infected, for example using an infected USB drive as in the Stuxnet attack.

While most ransomware requires a network connection to communicate with the command and control server there are variants which don't require it. Such case is described in Avira: Locky goes offline (by design). In this specific case the public key used to encrypt the randomly generated encryption keys is contained in the ransomware itself instead of getting it from the C&C server. The files are encrypted and the user presented with the usual prompt which asks for payment and presents a reference number. It is the problem of the user then how to get the decryption key to the air-gapped system.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
4

In early 2015, Security Researchers from Ben Gurion University in Israel showed a theoretical attack on airgapped machines called BitWhisper.

The attack requires two machines to be physically infected first, and immediately adjacent to eachother within a server rack. The first machine is the air-gapped one, the second being a networked server immediately adjacent. The air-gapped server then very slowly (~8 bits per hour) passes information from the air-gapped server to the other infected server by increasing and decreasing the temperature of the server which is then interpreted by the networked machine. From there the data could be passed anywhere.

So far however, BitWhisper is only a theoretical attack.

Original BitWhisper whitepaper.

R. Murray
  • 744
  • 5
  • 13