1.1 Ransomware
Ransomware is a kind of computer malware that kidnaps personal files, makes them inaccessible, and demands a ransom payment to restore them. In the most ransomware, personal files which are the target of ransomware include documents, databases, source codes, pictures, videos, etc., and Bitcoin is often used as ransom currency. The first kind of ransomware is found in 1989, and ransomware seems to blowout since 2012. Until now, millions of people have become victims of ransomware, which makes ransomware even more rampant.
1.2 Content
Because ransomware has already disturbed our daily lives, we decide to write something for both non-technicians and technicians. We have summarized our work on ransomware and chosen 10 ransomware which we are going to discuss in Section 2. By this paper, one can understand the basic idea of how ransomware work, and what exact algorithms used to encrypt victim’s personal files. Moreover, we sincerely hope that this paper can do some help for the ones who want to have a further analysis on ransomware. Moreover, it should be noticed that we only focus our discussion on encryption method and decryption method, something else, such as packing, anti-sandbox, elevation of privilege, DLL injection, are not in consideration. At last, due to the limited level of the author, anything inappropriate in the paper, awaits correction by the knowledgeable.
1.3 Organization
This paper is organized as follows. In Section 1, we introduce ransomware and the content of this paper. Anybody who wants to read this paper can decide whether it is helpful from this section. The encryption procedure of each ransomware is discussed one by one in Section 2. In Section 3, we are going to talk about the vulnerabilities existing in ransomware that cause some ransomware get cracked. However, there is much more ransomware which cannot get cracked. Moreover, finally, we conclude our paper with the development trend of ransomware, and some advice to protect ourselves in section 4.
2. Sample analysis
There are 10 kinds of representative ransomware arranged in alphabetical order in this section, and let’s begin to take a look at the encryption method used in that ransomware one by one. It should be noticed that to help everyone understand the encryption method below; we tend to make our discussion in a comprehensible but unscientific way, which means it might be a little different from what happens in the ransomware and what we describe in the paper, but the main idea must be correct. Besides, all hash algorithms are ignored, because they will impose an extra burden to catch on that ransomware.
2.1 Apocalypse
2.1.1 Introduction of apocalypse
Apocalypse ransomware was found in June 2016, and it has been completely defeated just before it got widely spread. However, we still want to talk about this ransomware, because Apocalypse ransomware can represent a kind of ransomware which uses a custom-designed encryption algorithm, instead of the standard encryption algorithm. When infected by Apocalypse ransomware, victim’s personal file gets encrypted and looks like this:
As figure shows, all the personal file get encrypted with an extension ‘.encrypted.’ moreover, the corresponding payment note is generated with a similar file name for each encrypted file.
2.1.2 Encryption procedure of apocalypse
Different from the other ransomware discussed later, Apocalypse ransomware uses a custom-designed encryption algorithm, and the key is also stored in the ransomware:
In the figure, the key of their algorithm is stored in register DL, and register CL is a counter. When encryption process is finished, the cipher text will overwrite the plain text and the ‘.encrypted.’ the extension is added.
2.1.3 Decryption procedure of apocalypse
Since this custom-designed encryption algorithm belongs to the class of symmetric-key algorithm, it is not difficult to find out the decryption algorithm. We can decrypt the infected file by the encryption algorithm with the same key. More details of the symmetric-key algorithm can be found on the wiki: https://en.wikipedia.org/wiki/Symmetric-key_algorithm
2.2 Cerber
2.2.1 Introduction of cerber
Cerber ransomware was first released in March 2016, and until now (2016.9), the second version of Cerber has been detected. In this subsection, we will talk about the origin version of Cerber ransomware, which leaves the victim files with an extension ‘.cerber.’ Victim’s personal file encrypted by Cerber ransomware will look like this:
In the above figure, “# DECRYPT MY FILES #.txt,” “# DECRYPT MY FILES #.html” and “# DECRYPT MY FILES #.vbs” are payment note generated by Cerber ransomware. It is also easy to distinguish Cerber from other ransomware by the extension of encrypted file.
2.2.2 Encryption procedure of cerber
The encryption algorithms adopted in Cerber ransomware are RSA and RC4. The detail descriptions of RSA and RC4 can be found on the wiki: RSA: https://en.wikipedia.org/wiki/RSA_(cryptosystem) RC4: https://en.wikipedia.org/wiki/RC4 Compared with ransomware discussed in 2.1, Cerber is much more complex and rigorous. To make it easy to understand, we would like to talk about the main idea of encryption procedure in Cerber, which is simplified from the real Cerber ransomware and much more understandable. Cerber ransomware has adopted a three-level encryption algorithm. The first step is to encrypt a randomly generated RSA key by RSA algorithm with the built-in RSA key. The second step is to encrypt a randomly generated RC4 key by RSA algorithm with the randomly-generated RSA key. Moreover, the third step is to encrypt victim’s personal file by an RC4 algorithm with the randomly-generated RC4 key. For each Cerber sample, a configuration file is encrypted and stored in resource segment. After it gets decrypted, a built-in RSA public key encoded by base64 will be found:
For each victim’s personal file, a unique RC4 key is generated, and then the file is encrypted by RC4 with that key, RC4 algorithm is shown below:
However, it should be noticed that Cerber ransomware will encrypt only some parts of victim’s personal file, not the whole file. Moreover, some necessary information which is needed in decryption procedure is also organized and stored in the encrypted file.
2.2.3 Decryption procedure of cerber
It won’t be difficult to find out the decryption procedure of Cerber ransomware if you understand what we are talking about in 2.2.2. There is no way to get global RSA private key unless the author of Cerber releases them. So, to decrypt the file, the first step is to fetch the randomly-generated RSA private key from C&C server, and then decrypt the randomly-generated RC4 key, and finally decrypt the file with RC4.
2.3 CryptoWall
2.3.1 Introduction of cryptowall
CryptoWall ransomware was detected at 2014, and up to now, the fourth version of CryptoWall has been released. In this subsection, we will talk about the third version of CryptoWall. When infected by CryptoWall, victim’s personal file gets encrypted and looks like this:
In the above figure, the file extension is randomly-generated 3 characters. “HELP_DECRYPT.HTML,” “HELP_DECRYPT.PNG” and “HELP_DECRYPT.TXT” are payment note generated by CryptoWall.
2.3.2 Encryption procedure of cryptoWall
CryptoWall ransomware adopts RSA and AES algorithm in encryption procedure. More detail descriptions of AES can be found on the wiki: AES: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard The implementation of RSA and AES is depended on CryptoAPI which is included in Microsoft Windows operating systems. The details can be found on the wiki: CryptoAPI : https://en.wikipedia.org/wiki/Microsoft_CryptoAPI CryptoWall ransomware needs to apply for an RSA public key from its C&C server, so that if CryptoWall fails to connect to its C&C server, it won’t encrypt any file. After that, a randomly generated AES key is encrypted by RSA algorithm,
Next, victim’s personal file is encrypted by AES with the key generated in the previous step:
Finally, the ciphertext with some necessary information will overwrite the origin file.
2.3.3 Decryption procedure of cryptowall
The decryption procedure of CryptoWall is almost the same as its encryption procedure. First, to get back the RSA private key from C&C server; Second, to decrypt the randomly generated AES key by that RSA private key; And last, to decrypt victim’s personal file by that AES key.
2.4 CTB_Locker
2.4.1 Introduction of CTB_Locker
CTB_Locker is also an old ransomware brand which got spread at 2014, but this ransomware replaces RSA algorithm with a more sophisticated algorithm. Victim’s file encrypted by CTB_Locker ransomware will get a randomly-generated 7 characters extension:
In the above figure, the first 2 files are payment note generated by CTB_Lokcer automatically.
2.4.2 Encryption procedure of CTB_Locker
CTB_Locker is also very complex and rigorous. Just like what we say in 2.2.2, we tend to discuss about CTB_Lokcer in a more casual way, and all hash algorithm is ignored. AES algorithm and ECDH algorithm are adopted in CTB_Locker ransomware. The elliptic curve used in ECDH is curve25519. More detail descriptions of ECDH and curve25519 can be found on the wiki: ECDH: https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman Curve25519: https://en.wikipedia.org/wiki/Curve25519 ECDH algorithm is an anonymous key agreement protocol. If you find it hard to understand, you can treat ECDH algorithm as RSA algorithm, and by this way, it becomes much easy. A three-level encryption procedure is adopted in CTB_Locker ransomware. The first step is to encode a randomly-generated ECDH key by the built-in ECDH public key (we use the word ‘encode,’ because ECDH is a key agreement protocol, not encryption algorithm):
In the above picture, ‘PblKey’ is randomly generated ECDH key. The second step is to encode a randomly generated AES key by that randomly-generated ECDH key.
Moreover, the third step is to encrypt victim’s personal file by AES algorithm with that randomly-generated key.
Finally, the ciphertext and some necessary information which is needed in the decryption procedure will overwrite the origin file.
2.4.3 Decryption procedure of CTB_Locker
Since we can’t get the private ECDH key corresponding to the built-in public ECDH key, the whole decryption procedure of CTB_Locker contains 2 steps: we first decode AES key with the randomly-generated ECDH private key fetched from C&C server and then decrypt victim’s personal file with that AES key.
2.5 Jigsaw
2.5.1 Introduction of Jigsaw
Jigsaw ransomware was first released at around April 2016, and up to now (2016.9), the second version of Jigsaw has been found. Jigsaw is a kind of ransomware that runs in .net framework. More detail descriptions of the .net framework can be found on the wiki: .net framework: https://en.wikipedia.org/wiki/.NET_Framework In this subsection, we will talk about the origin version of Jigsaw. Victim’s personal file that encrypted by Jigsaw ransomware will end up with the ‘.fun.’ extension:
Besides, Jigsaw ransomware has been completely defeated soon after its release, and then an updated version of Jigsaw ransomware has been produced.
2.5.2 Encryption procedure of Jigsaw
Jigsaw ransomware adopts AES algorithm in its encryption procedure. The key and iv of AES algorithm can be found in Jigsaw sample:
Moreover, the encryption process is also very clear (No wonder it has been defeated):
Finally, the ‘.fun.’ the extension is added, and encryption procedure is finished.
2.5.3 Decryption procedure of Jigsaw
All we need to do is to decrypt the victim’s personal file by AES algorithm with the same key and iv. In fact, the decryption procedure can also be found in Jigsaw ransomware sample.
2.6 Locky
2.6.1 Introduction of Locky
Locky is another ransomware that needs to apply for an RSA public from its C&C server, and the first Locky sample is found around February 2016. If Locky fails ransomware to connect to its C&C server, nothing will get encrypted. Victim’s personal file that encrypted by Jigsaw ransomware will end up with the ‘.locky’ extension:
In the above figure, “_HELP_instructions.bmp” and “_HELP_instructions.html” are payment node generated by Locky automatically.
2.6.2 Encryption procedure of Locky
Locky ransomware adopts RSA algorithm and AES algorithm in its encryption procedure, but the implementations of both algorithms are different among different versions of Locky. In the Locky sample that we are going to talk about, RSA algorithm is implemented by CryptoAPI, the same as CryptoWall discussed in 2.3.2.
RSA algorithm is used to encrypt the randomly generated AES key, and RSA public key is fetched from Locky C&C server. The randomly generated AES key is used to encrypt victim’s personal file. Moreover, the AES algorithm is implemented by AES instruction set, including ‘aesenc’ and so on:
More detail descriptions of AES instruction set be found on the wiki: AES instruction set: https://en.wikipedia.org/wiki/AES_instruction_set When encryption process is finished, the cipher text with some necessary information will overwrite the origin file.
2.6.3 Decryption procedure of Locky
The Decryption procedure of Locky is similar to CryptoWall in 2.3.3. First, fetch RSA private key from C&C and decrypt AES key. Second, decrypt victim’s personal file with that AES key and extra information stored in encrypted file.
2.7 Petya
2.7.1 Introduction of Petya
Petya Ransomware is a special ransomware that was found in March 2016. Compare with other ransomware; Petya ransomware is totally different. From one hand, Petya ransomware will overwrite the bootstrap code in master boot record (MBR), and stop the normal initialization of Windows; From the other hand, Petya ransomware will encrypt NTFS master file table (MFT), instead of each victim’s personal file. The detail descriptions of MRB and NTFS MFT be found on the wiki: MBR: https://en.wikipedia.org/wiki/Master_boot_record NTFS MFT: https://en.wikipedia.org/wiki/NTFS#Internals When infected by Petya ransomware, the computer will stop booting and show this screen:
In the above figure, all the payment notes are written in white character on the blood red background.
2.7.2 Encryption procedure of Petya
The encryption procedure of Petya ransomware is not complex, and we can find ECDH algorithm and SALSA20 algorithm are adopted in Petya. The elliptic curve used in ECDH is secp192k1. More detail descriptions of SALSA20 and secp192k1 be found on the wiki: SALSA20: https://en.wikipedia.org/wiki/Salsa20 Secp192k1: wiki doesn’t have any relevant article! Since ECDH algorithm is a little complicated to understand, as we explained in 2.4.2, so we treat ECDH algorithm as RSA algorithm, which makes it much clearer. The first step is to encode randomly-generated SALSA20 key by ECDH algorithm:
Moreover, SALSA20 algorithm is launched in the second step which fully runs in a 16-bit environment:
The payment note screen will show up when the MFT get encrypted.
2.7.3 Decryption procedure of Petya
Only one step is involved in the decryption procedure: decrypt and restore the victim’s MBR and MFT by SALSA20 with the key fetch from C&C server.
2.8 TeslaCrypt
2.8.1 Introduction of TeslaCrypt
TeslaCrypt ransomware was detected in February 2015, and up to now, there are 4 main versions of TeslaCrypt. Different versions of TeslaCrypt use different extensions of its encrypted file, such as ‘.ecc,’ ‘.ezz,’ ‘.zzz,’ ‘.vvv,’ ‘.abc.’ Moreover, so on. In this subsection, we will talk about the fourth version of TeslaCrypt. No extension is added to encrypted file, shown in the figure:
In the above figure, “-!RecOveR!-yjxka++.Htm”, “-!RecOveR!-yjxka++.Png” and “-!RecOveR!-yjxka++.Txt” are payment note generated by TeslaCrypt Ransomware automatically.
2.8.2 Encryption procedure of TeslaCrypt
Different versions of TeslaCrypt ransomware use different encryption algorithms. In the sample which we are going to discuss, ECDH algorithm and AES algorithm are adopted. The elliptic curve used in ECDH is secp256k1. Moreover, this is the last time we discuss ECDH, which may be a little complicated. The whole encryption procedure of TeslaCrypt is similar to CTB_Locker in 2.4.2. Teslacrypt ransomware encrypts victim’s personal file by a three-level encryption procedure. One can treat ECDH as RSA just as what we say in 2.4.2. In the first level, a randomly-generated ECDH key is encoded by ECDH algorithm with the built-in ECDH key. In the second level, a randomly generated AES key is encoded by ECDH with the randomly-generated ECDH key:
In the third level, AES algorithm is adopted to encrypt victim’s personal file:
Finally, the ciphertext and some necessary information, such as encoded ECDH public key, will overwrite the origin file.
2.8.3 Decryption procedure of TeslaCrypt
It is also similar to CTB_Locker in 2.4.3, normally, we cannot fetch the global ECDH private key, so only 2 steps involved in decryption procedure. The first step is to decrypt AES key by ECDH algorithm with the key fetch from C&C server; The second step is to decrypt victim’s personal file with the decrypted AES key.
2.9 TorrentLocker
2.9.1 Introduction of TorrentLocker
TorrentLocker is another notorious ransomware found in 2014. Most versions of TorrentLocker Ransomware add the ‘.encrypted.’ Extension to its encrypted files and some versions of TorrentLocker try to disguise itself as CryptoLocker ransomware. In this subsection, we will discuss an early version of TorrentLocker which will not change the size of the file it encrypts:
In the above figure, “PLEASE_READ.txt” is the payment note generated by TorrentLocker automatically.
2.9.2 Encryption procedure of TorrentLocker
RSA algorithm and AES algorithm are adopted in TorrentLocker Ransomware. RSA algorithm is used to encrypt a randomly generated AES key, and victim’s personal file is encrypted with that AES key. In fact, a very large part of ransomware which we haven’t discussed in this paper works in RSA-AES pattern. The randomly generated AES key is generated by Yarrow algorithms, and the detail descriptions of Yarrow algorithm be found on the wiki: Yarrow algorithm: https://en.wikipedia.org/wiki/Yarrow_algorithm The seed of Yarrow algorithm contains the return value of the following functions:
Pay attention that; this is not the full list of relevant functions. Moreover, in the next step, victim’s personal file is encrypted 16 bytes by 16 bytes with AES algorithm:
When encryption process is finished, origin file will be overwritten by cipher text, no more extra data.
2.9.3 Decryption procedure of TorrentLocker
Although AES key is encrypted by RSA algorithm, we can’t get back the RSA private key. To decrypt victim’s personal file, we need to fetch the AES key from C&C server, and with that AES key, we can decrypt the victim’s personal file with AES algorithm.
2.10 Unlock92
2.10.1 Introduction of Unlock92
Unlock92 is the last one that we are going to discuss. Unlock92 ransomware was first released at around June 2016, and up to now, the second version of Unlock92 has been detected. Unlock92 ransomware runs in .net framework. The first version of Unlock92 ransomware will add a ‘.CRRRT’ extension to its encrypted file and the second version of Unlock92 ransomware will add a ‘.CCCRRRPPP’ extension. Compared with the first version, the second version is more complex so that we will talk about the second version of Unlock92:
In the above figure, “FBDX.jpg” is the payment note generated by Unlock92 Ransomware automatically.
2.10.2 Encryption procedure of Unlock92
Unlock92 ransomware adopts RSA algorithm for 2 times in its encryption procedure. For each Unlock92 sample, there is a built-in RSA public key encoded by base64 which is used to encrypt randomly-generated RSA key:
The randomly-generated RSA key is used to encrypt victim’s personal file:
To maximize the efficiency of encryption procedure, Unlock92 ransomware only encrypts the first 0x300 bytes of victim’s personal file, not the whole file.
2.10.3 Decryption procedure of Unlock92
To decrypt the victim’s personal file encrypted by Unlock92 ransomware, we need to restore the randomly-generated RSA private key from C&C server, and with that key, we can get back the victim’s personal file using RSA algorithm.
3. Vulnerabilities in ransomware
3.1 Summary of encryption method
In Section 2, we have outlined the encryption methods of the 10 chosen ransomware. Each of them stands for one kind of encryption procedure, and the encryption methods of other ransomware which are not presented may belong to one of them. Now, we can summarize the encryption method exist in that ransomware as follows:
A custom-designed encryption algorithm, just like what we analyze in 2.1. The 1-level encryption algorithm, just like what we analyze in 2.5. The 2-level encryption algorithm, such as RSA-AES pattern, just like what we analyze in 2.3, 2.6, 2.7, 2.9, 2,10. The 3-level encryption algorithm, such as ECDH-ECDH-AES pattern, just like what we analyze in 2.2, 2.4, 2.8. By the encryption module from the other normal software. For example, CryptoHost ransomware encrypts victim’s personal file by WINRAR’s encryption module and Vault ransomware encrypts victim’s personal file by GNUPG’s encryption module.
As we can see, the standard encryption algorithm is widely used in ransomware, except for the ransomware described in subsection 2.1 which adopts a custom-designed encryption algorithm. Among all the standard encryption algorithms, AES algorithm has gained the highest utilization rate, followed by RSA algorithm, and some ransomware also uses ECDH algorithm. Since all those standard encryption algorithms can be regarded as uncrackable, the main reason why ransomware can be cracked is completely due to the improper use of standard encryption algorithms.
3.2 Summary of decryption method
If all the ransomware are well-designed, in other words, if all the ransomware are non-crackable, the correct method to decrypt victim’s personal file can be summarized as follows:
For the custom-designed encryption algorithm, we need to get both the decryption algorithm and the decryption key. For the 1-level encryption algorithm, we need to get the decryption key and decrypt victim’s personal file with that key. For the 2-level encryption algorithm, we need to get either the first-level key or the second-level key. If we have the first-level key, we can restore the second-level key with that key, and then decrypt victim’s personal file with the second-level key. For the 3-level encryption algorithm, we need to have one of those 3 keys. If we have the first-level key, we can restore the second-level key with the first-level key and restore the third-level key with the second-level key, and finally, decrypt victim’s personal file with the third-level key. For those who use encryption module from the other normal software, we need to get the decryption key.
In the ransomware author’s point of view, those decryption mentioned above methods are thought to be the only correct way to decrypt victim’s file. However, there exist more or fewer vulnerabilities in some kinds of ransomware, which leads to crack them. We will summarize those vulnerabilities in 3.3.
3.3 Summary of vulnerabilities in ransomware
Only a small number of ransomware can be cracked, and the reason why that ransomware gets cracked is mainly that it fails to use standard encryption algorithm correctly. As far as we see, the detail reasons for each cracked ransomware can be summarized as follows:
The custom-designed algorithm. Ransomware in 2.1 is cracked because their custom-designed algorithm is not as strong as the standard encryption algorithm. Improper way to keep the key. Ransomware in 2.5 is cracked because the built-in AES key is used to encrypt victim’s personal files. Weakness in cryptographic strength. The RSA key used in the early version of ransomware analyzed in 2.8 is so short that can be factorized. The unscientific pseudo-random number generator. The pseudo-random number is predictable in the early version of ransomware analyzed in 2.10. Vulnerabilities in C&C server. There are some vulnerabilities existed in C&C server of ransomware in 2.2 which help lots of victims retrieve their keys. Other reasons, such as the author of CoinVault was arrested, the author of TeslaCrypt released the global private ECDH key and so on.
There are still some reasons which do not appear in the above summary, such as the author of CoinVault is arrested, but we believe that it is not hard for you to find those reasons by yourself.
3.4 Summary of sample analysis
In this subsection, the sample we analyzed in section 2 is summarized much clearly in this table: (The version of specific ransomware in table is given in the corresponding subsection) method or not designed currently not Besides, the early version of Unlock92 is crackable because the pseudo-random number is predictable so that the second-level key can be guessed.
4. Trends and suggestions
4.1 Trends
According to what we see, there is an increasing trend in both the amount and the type of ransomware. Moreover, the source code and the building tools of ransomware has been sold on black markets which it makes much easier to generate a new type of ransomware. If no effective measures are taken, it is really difficult to estimate how bad the end is that we are going to face. The good news is that anti-ransomware camps are also getting stronger. Most of the anti-virus companies have launched their products to help people keep away from ransomware. Moreover, we think more and more victim will benefit from their products.
4.2 Suggestions
Up to now, there exist more or less problems in using the standard encryption algorithms in ransomware, but with the development of ransomware, the amount of those problems is getting less and less. Once the author of ransomware manages the usage of the standard encryption algorithm, it is truly difficult to restore victim’s personal files. Therefore, we suggest that we should give priority to defense. From one hand, computer users should backup their personal files instantly; From the other hand, anti-virus company should design the special algorithm to recognize ransomware and suspend the encryption process according to the feature of ransomware, such as walking the file system. Besides, don’t surrender to panic even if you are infected by ransomware, and consulting some experts may be a good way to deal with that situation.