18

Some of my files have been encrypted by ransomware. I can find some backup of files (unfortunately not all of them). Can I find the password of the 7Z zipped+encrypted files if I also have some of the original files?

schroeder
  • 123,438
  • 55
  • 284
  • 319
rvil76
  • 283
  • 2
  • 4
  • 7
    If the files were encrypted using a pre-2019 version of 7zip, there may be hope. See https://security.stackexchange.com/questions/100650/how-secure-is-7z-encryption/233813#233813 for more info. – mti2935 Sep 23 '21 at 16:24
  • 3
    Do you have the ransomware payload by any chance? Maybe submit it to [VirusTotal](https://www.virustotal.com/gui/home/upload)? – Adam Katz Sep 23 '21 at 21:37
  • 2
    1) Do you know anything about the password, for example its length and the characters used in it? 2) Some ransomware has been cracked and the decryption is publically available. – Andrew Morton Sep 24 '21 at 16:22

1 Answers1

26

7z uses AES-256 with the CBC mode of operation for encryption. Since AES in CBC mode is resistant to known-plaintext attacks ( The CBC mode has greater security than KPA, it has Ind-CPA), having the original files will not assist you in cracking the key/password used for encryption.

mti2935 and Adam Katz point out that 7z used a broken IV generation mechanism up till 2019. While detrimental to secrecy of the encrypted data, as far as I can tell, it only leaks information about the plaintext. I'm not a cryptographer and can't state this authoritatively, but I don't think the weak IV enables attacks against AES that would allow recovery of the key/password faster than brute force. (Edit: Someone with sufficient cryptographic knowledge has commented, confirming that the attack on weak IVs is not a key finding attack.)

kelalaka
  • 5,409
  • 4
  • 24
  • 47
nobody
  • 11,251
  • 1
  • 41
  • 60
  • 3
    AES is pretty strong, but 7zip's AES implementation has had at least one [vulnerability](https://threadreaderapp.com/thread/1087848040583626753.html) identified in the past (it was a bad [RNG](https://en.wikipedia.org/wiki/Random_number_generation "random number generator")). – Adam Katz Sep 23 '21 at 21:36
  • 1) (Edited) The link of @AdamKatz is problematic see also ;[7zip : Why does encrypting the same file with AES-256 not give the same output?](https://crypto.stackexchange.com/a/77548/18298). The bug cleaned, however, one cannot apply a known-plaintext attack to the CBC mode. See the canonical question on Crypto [Why is CBC with predictable IV considered insecure against chosen-plaintext attack?](https://crypto.stackexchange.com/q/3883/18298) what you can do with this. – kelalaka Sep 24 '21 at 19:41
  • 4
    2) The attack on weak/predictable IV is not a key finding attack. If the keys are the same for each file then even [AES-128 is secure](https://crypto.stackexchange.com/questions/76738/has-aes-128-been-fully-broken/76746#76746). And in the case of AES-256, the multi-target attack will fail, too. Even for AES-128, multi-target attack is far beyond OP. They should wait until the key is leaked, some attackers leaks after some time. – kelalaka Sep 24 '21 at 19:41
  • 1
    Also, note that AES is a primitive. To talk about KPA,Ind-CPA, Ind-CCA, etc, you need a mode of operation. It is better to say 7Zip uses AES in CBC mode and CBC-mode is [CPA-secure](https://crypto.stackexchange.com/a/87033/18298) – kelalaka Sep 24 '21 at 19:49