How does ransomware work?

If it's possible to get a full rundown on how ransomware usually works in encrypting files, that would be nice.

I know ransomware encrypts all files with AES-256 for speed, but where does RSA come in? Apparently RSA is slow to encrypt files, so it uses AES-256 first and then RSA? Can someone explain that to me?

Also, does the RSA key come from the criminal's C&C server which locks the AES key? If this is the case, shouldn't the AES key be recoverable?

Sam

Posted 2016-01-26T07:15:42.263

Reputation: 11

I'm voting to close this question as off-topic because it has been cross posted to http://security.stackexchange.com/questions/111733/how-does-ransomware-work. Please read Is cross posting OK?

– Mokubai – 2016-01-26T13:22:09.810

Answers

Typically, the ransomware generates a new, random AES key to encrypt the data with. It encrypts the AES key with the criminal's RSA public key. Now, only the criminal can decrypt the encrypted AES key and get the symmetric key needed to decrypt the data.

David Schwartz

Posted 2016-01-26T07:15:42.263

Reputation: 58 310

@Sam This is the default way crypto works with public/private key pairs: use the key pair with large keys for the initializations, then generate a smaller key to use with the actual (much faster) symmetric encryption/decryption algorithms. You should read some primers on public key encryption

– Jan Doggen – 2016-01-26T09:35:53.810