The Anti-virus Times

Monday, June 26, 2017

Why can anti-virus companies recover files that have been encrypted by encryption ransomware, and how difficult is it for them to do that?

Encryption is not a very long word, but it denotes a rather complex phenomenon.

First, an encryption algorithm (a routine rather than a program or a library) is involved. Every algorithm is tested to determine how resistant it is to cryptanalysis.

That's almost a record!

But how a certain algorithm is implemented in software code is also important. This is where encryption ransomware authors can make their first mistake. Unfortunately, nowadays they tend to use proprietary libraries or encryption tools that are available in an operating system out-of-the-box. In such cases, the probability of making a mistake implementing an algorithm is next to zero.

Furthermore, there exist symmetric key and asymmetric key algorithms. For example, Advanced Encryption Standard (AES) makes use of symmetric keys (the same key is utilised for encryption and decryption). Obviously if there is only one key, it can be acquired and used to decrypt data.

Asymmetric algorithms such as the RSA are a better option. To use those, a public and a private key are generated. The public key is used to encrypt data, while the private key facilitates its decryption. The keys are usually created on attackers' servers, and only the public key ends up on the machine of the victim being targeted. Obviously if access to the attackers' server is blocked, the private key can’t possibly be obtained, making data unrecoverable.

Clearly, asymmetric key algorithms are more appealing to criminals. But running the routine also requires more resources, and this means that the malicious activity can be discovered. Different encryption ransomware authors make different choices. For example, a public RSA key can only be used to encrypt an AES key that is created in advance locally. An RSA-encrypted AES key is then appended at the beginning of every encrypted file along with permissions and an AES initialisation vector.

WannaCry encrypts files using AES-128 (128 indicates the key length) and makes use of test and standard encryption modes.

The CryptGenKey routine generates an RSA key pair; the public key is saved in the file 00000000.pky, and the private key is encrypted with the author’s public key and saved in the file 00000000.eky. A key is generated for each encrypted file, using the CryptGenRandom function.

In the test mode, encryption is performed using the second RSA key hardcoded in the Trojan. During the course of encryption, a list is created of the files that can be decrypted in test mode. It is saved to f.wnry. That's why files that have been encrypted in test mode can be recovered.

Key length. If a key is short, it can be cracked in a brute-force attack.

Generating a key. It is quite obvious that different keys must be used on each attacked machine. And here attackers make a lot of mistakes. To make sure that keys are generated randomly, random prime numbers are used. And these numbers should be stored as safely as the keys because if a key-generating routine is known, the number can be used to generate the file again. That's why it’s become possible to recover WannaCry-encrypted files.

In the course of its operation, WannaCry uses prime numbers to generate encryption keys for the infected system. To prevent a user from gaining access to the private key and decrypting the compromised files independently, the Trojan deletes the key in the system. But the two prime numbers used to generate the encryption keys aren't erased from the memory and can be found in the memory area of the wcry.exe process.

The key recovery technique only works under Windows XP, Vista, and Server 2003 and 2008, and only under the following conditions:

1. The computer wasn't rebooted after the infection occurred.
2. The memory area wasn't allocated or cleaned by another process.

A certain degree of luck is involved—this method doesn't always work.

It was discovered by Adrien Guinet, a French information security researcher from Quarkslab.