67

The site: https://www.nomoreransom.org/ offers many decrypter tools for ransomware.

But why?

It shouldn't be so hard to use the Windows Crypto API (e.g. just google "create AES Key in Windows") to create AES Keys, encrypt them with a locally generated public RSA Key and encrypt the corresponding private RSA Key with a Public RSA Key that the attacker controls. (The method of Wanacry.)

If the victim pays the ransom, they have to send the encrypted private RSA key to the attackers, and hopefully get the decrypted private RSA key back.

Why do these people try to reinvent the wheel and in the process make mistakes that allow the development of decrypter tools?

kiara
  • 671
  • 1
  • 6
  • 9
  • 19
    Using the Windows crypto API can trigger antivirus heuristics. – forest May 15 '19 at 23:25
  • 103
    Asking why malware isn't quality is like asking why criminal enterprises aren't stellar examples of business management... – benxyzzy May 16 '19 at 06:57
  • 3
    Why not encrypt the AES key directly with the public RSA key the attacker controls? – lvella May 16 '19 at 10:02
  • 1
    You could do that, but in this case, the victim has to send all the encrypted AES-keys (one for each file) to the attacker, which requires more bandwidth. (Alternatively, the attacker could use a single AES-key for all files.) Remark: What i described was the workflow of Wanacry. – kiara May 16 '19 at 11:51
  • 2
    It is all about **business** common sense . A `perfect` ransomware crypter will have a risk the the ransomware actor fail to capture the key. There already happens in a few case that the ransomware failure to send the locally generated key back to its hiding place, which **damage** the reputation and risk future victims willingness to pay. Leaving some "leniency" hole is the best business strategy. – mootmoot May 17 '19 at 15:51

4 Answers4

100

Disclosure: I work for one of vendors participating in NoMoreRansom.

Most modern ransomware indeed implements proper cryptography. Earlier versions were using rand() for key generation, seeding the random generators with variants of time() - this is why it was important for successful decryption to know when exactly the infection happened; ideally down to minutes. Those could be decrypted with brute force. But most modern ransomware indeed uses either Windows Crypto API, or bundled crypto libraries.

However, no matter how correctly ransomware is implemented, there is always a weak point - to facilitate decryption, the key(s) have to be stored somewhere. This location could be traced by security companies, who would work together with law enforcement to take it over. Access to the server gives the security company the ability to decrypt the ransomware victims files. This is for example the case with GangCrab ransomware.

eclipz905
  • 109
  • 2
George Y.
  • 3,504
  • 2
  • 10
  • 15
  • 6
    There is of course the possibility that there is no decryption key. Once the criminals get the ransom, why would they care about repairing the damage done? – gnasher729 May 15 '19 at 20:54
  • 56
    @gnasher729 people are also lot more likely to pay up if your particular malware has a reputation for following through on decryption. If you never get your files back no ones going to pay. (Sometimes you're right though) – Richard Tingle May 15 '19 at 21:39
  • 22
    @gnasher729 I would be more inclined to pay a ransom for my family if the abductors don't have the reputation to kill the hostages anyway ;) – Thomas May 16 '19 at 07:47
  • 2
    @Thomas: That's exactly why you shouldn't ever pay ransom. Involve police, hire mercenaries, or just call your family dead, whatever. Only just, don't ever pay. The moment you pay, the hostage is not only _worthless_, but a high-risk liability. Not killing the hostages is the most stupid thing a hijacker could possibly do. They might help identifying the hijacker or the location where they were held. Same principle applies to ransomware. Who cares about reputation if a few thousand fools will pay anyway? Fulfilling your promise just to get "reputation" means you risk being caught. – Damon May 16 '19 at 08:26
  • 27
    @Damon If you're talking about third world professional kidnappers that's not really true. There's a whole insurance industry around paying ransoms because those kidnappers want money, they don't want companies to just write off their employees or worse stop sending employees to the country altogether. – IllusiveBrian May 16 '19 at 13:57
  • `This location could be traced by security companies` -> I thought ransomware authors used Tor all the time, even to communicate with C&C. Either put the whole Tor stack (it's open source) into the malware, or use `onion.to` or any other dark web public gateway. I thought those were the most reasonable ways – usr-local-ΕΨΗΕΛΩΝ May 16 '19 at 15:25
  • 4
    And yes, we know. Chuck Norris and intelligence agencies can track down Tor hidden services, the latter with a few clicks, the former with a roundhouse kick to the screen – usr-local-ΕΨΗΕΛΩΝ May 16 '19 at 15:26
  • 3
    @Damon Except in parts of the world where kidnapping is or was common, they DO release the hostages after the ransom is paid for the reason stated above. They may not do it right away, and they may keep trying to bleed the family as long as possible, but from what I understand they generally don't just kill people. Because these crimes take place in lawless areas where kidnappers don't get caught, releasing the victims isn't much of a problem. Think Sudan, or some parts of Mexico. Real kidnapping isn't Fargo. – Steve Sether May 16 '19 at 16:29
  • Interesting. Combined with Schroeder's answer of essentially "it's all automated", the last part about discovering the location of they keys makes sense. I was curious why the attackers wouldn't simply encrypt the keys themselves, but if the whole process is automated, it's make sense that the keys aren't encrypted. – Steve Sether May 16 '19 at 17:51
  • @usr-local-ΕΨΗΕΛΩΝ some ransomware only provides communication points in Tor network, but it doesn't seem to be popular among ransomware authors. I guess some potential victims who would otherwise pay ransom might be simply unable to do so technically. Booting into Tails alone could already be a challenge for a non-technical Windows user. – George Y. May 17 '19 at 06:20
  • @GeorgeY. clarification: what I meant (and what you said is not popular yet) is that the ransomware could have tried to hide their C&C traces by sending the key payloads via Tor rather than to a fixed DNS host/ip destination, which can be tracked to an entity, seized and cryptanalysed. It is believable that crime organizations working in the clear web can use 1) hacked boxes or 2) cloud services billed to fake/stolen names. But better not go deep into the subject in the comments, or move to chat – usr-local-ΕΨΗΕΛΩΝ May 17 '19 at 09:47
  • 1
    @Damon - that's complete nonsense. Kidnapping is peanuts compared to murder in basically every penal system in the world. Releasing hostages increases risk that they leak some info about you, executing them makes sure that the entire police force of a country and few international ones like Interpol will be on your ass. – Davor May 17 '19 at 14:33
  • @Davor: Your reasoning is unlogical. Hijackers threaten to kill a person. If they are truly reluctant to kill that person (fearing the penalty) why would you pay them at all? They're not going to kill the hostage! Fact remains, hijacker (or blackmailer in general) wants your money. You give them money, they have what they want. Plus, you actually _encourage_ them (and others). The only sensible way of dealing with this kind of individual is merciless persecution, the harshest penalties possible, and no reward under any circumstances. Do not give them what they want, no matter what it costs. – Damon May 17 '19 at 17:14
  • @Damon - that makes absolutelly no sense. You are conflating killing hostages if demands are not met, with killing hostages when paid. One is beneficial, the other is not. You argument is fucking stupid. – Davor May 19 '19 at 21:22
  • @Davor: What's truly stupid is trusting that someone who is _demonstrably_ not trustworthy and who _demonstrably and openly_ defies law, humanity, and morals will fulfill a promise. That, Sir, is stupid. – Damon May 20 '19 at 14:20
  • @Damon - no one suggested trusting anyone. – Davor May 21 '19 at 20:05
49

It is just a cost/gain question. Ransomware developers generally do not want to build a security tool with all the involved reviewing. They just want the less expensive tool that will allow them to get more money than it cost. Of course, they are probably breakable, but who cares? Provided some of the first victims have paid what they were asked, the attacker gets much more money than they spent. Furthermore, the longer you use one, the higher the risk to be caught if a governmental security agency manages to come into play.

It is more or less what many real-life thieves do when they manage to enter in a random house: take the most valuable things in the shortest possible time and go away.

Things are different both in the real life and IT world for targetted attacks. If you want to attack a bank or a jewelry shop, the gain is expected to be high enough to spend a lot of preparation time. The same when a governmental service attacks a strategic target, they will use higher quality tools. But it is seldom used for random targets.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
21

The obvious answer is that no criminal would want to interact so directly with their victim.

"send the encrypted private RSA key to the attackers"

requires a consistent point of contact.

In the current model, all the communication is one-way and fungible:

  • malware displays a screen instructing the victim to deposit bitcoins (no direct contact)
  • criminals monitor deposits and send email with key (communication is automated and one-way from any disposable intermediary)

The current model works so well, it is one of the top threats worldwide. There are always ways to improve a system, but if it isn't broken, what's the benefit?

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    Well, the current model does not work in so many cases. But to your answer: If the attacker only want to communicate one-way, they either have to have a single decryption key for all victims or they have to hard code a individual RSA Public key for every infected machine. However, it would be easy to send the encrypted private key to a server just after the infection. (They usually have to download the ransomware from a server anyway.) Then the decryption can be done automatically as you described. – kiara May 15 '19 at 15:56
  • It does not work? How do you mean? – schroeder May 15 '19 at 15:57
  • nomoreransom.org has a long list of decryption tools, with them you can decrypt your files without paying the ransom. The core of my question is: Why do they mess up the encryption so often, when it is really not that difficult to do it right. – kiara May 15 '19 at 15:58
  • 2
    how is that evidence of it not working? – schroeder May 15 '19 at 15:58
  • 2
    The encryption is not messed up. The encryption is fine. The problem is that the key is exposed after people submit the encrypted files and received keys for analysis. When this happens, the criminals just change the keys or even the code base (lots to choose from). There is no error here and nothing to fix. – schroeder May 15 '19 at 16:02
  • 1
    "it would be easy to send the encrypted private key to a server just after the infection" - that creates a trail back to the attackers. No criminal would want that, as I said. – schroeder May 15 '19 at 16:06
  • @schroeder Why can't the hacked send a code that is reversed to find a key for the ransomware? Also, the ransomware could include its own tor client or use fast flux dns (every ransomed or affiliated computer acts as a dns server to the others in a web of botnets) to avoid being traced back. The network could get commanded by a public key. – noɥʇʎԀʎzɐɹƆ May 15 '19 at 23:27
  • 2
    @noɥʇʎԀʎzɐɹƆ Seems like a lot more work and development effort to set up then current established methods. If you are a malware author, you only care to a limited extend if a decryptor gets released eventually - proportionally with how much time you spent making it. You just make another ransomware then – Magisch May 17 '19 at 09:41
5

Frankly, it's pretty tricky to pull off good file encryption and decryption, even with a library that's supposed to do it for you. I tried to modify a cryptor (meant to obfuscate viruses to hide their signatures from antivirus programs) that used a very basic bitshift technique originally, and it didn't work well because most antivirus programs would literally brute force the binary and could realize that it was actually a virus! I wanted to replace the bitshift "encryption", if you could even call it that, with AES encryption via a C# library that I had used successfully in the past for strings, but I could never make it work. Another problem is that the more complicated your encryption algorith is, the longer it takes to sweep the entire disk, and then decrypt at the end when/if they pay. It's also more likely to fail in the middle and result in an incomplete job.

What I saw once on my grandma's computer, back before ransomware really took off and got better, was a ransomware program that supposedly encrypted her files and wanted about $200 to decrypt them. All it did in reality was add the extension ".crypted" to the end of every single file so windows didn't know what program to use to open any of them! Once I figured that out, all that was necessary to do was use the task manager to locate and delete the original ransomware file, then write a batch script to recursively check every file on the system for the .crypted extension and remove it if present. Problem solved within an hour, no money paid to hackers at all! But if they had used AES, this technique wouldn't have worked at all, and deleting the virus file would probably destroy any hope you ever had of cracking the military grade encryption.

The difference is that the guy who used the first technique of renaming the file extension so windows couldn't open any files probably already had hundreds of infections by the time the guy using military grade encryption even finished his virus, and the 5% of people who are smart enough to fix the first one are probably also smart enough to not be infected by the second one. The other 95% of people who couldn't figure out any way to fix either virus other than just paying the ransom, probably paid it the first time (to the guy with the easily breakable ransomware) and then immediately set up a full backup solution to prevent it from ever happening again. If they later got infected by the military grade ransomware, they already learned their lesson once and just restored from the backup. Hopefully even people who haven't been infected yet start to set up backups, so they never even have to pay the ransom once.

From this scenario, you can see how the guy with the easily breakable ransomware can release it first, it acts faster and is more reliable and easier to reverse even if the antivirus program manages to delete the virus before decryption, and because of that, he will make more money than the person who spends tons of time setting up a fully bulletproof ransomware virus, but is later to the market after people have started to wise up and back up their important files.

Cyle Langenhennig
  • 59
  • 1
  • How did you restore the original file extensions? Or did the Ransomware append the .crypted extension to the original filename including the extension? I.e: photo.png.crypted – Morgan May 18 '19 at 13:23
  • @Morgan, yes they literally just added the extension ".crypted" to the end of every single file windows would let them modify automatically! Lowest effort ransomware ever, but very easily reversible for both the ransomware itself and for any competent computer user. Unfortunately, probably 80% of computer users are not that competent, and even if they know what role the file extension plays and they don't freak out about the windows warning message you get while changing them, it would take days/weeks to revert them all by hand without a script. – Cyle Langenhennig Jul 08 '19 at 21:34