Member-only story
When Random Is Not Quite Random: Beating Ransomware
Isn’t it a nice feeling when the bad guys get it wrong? Well, in a new research paper, the authors have discovered that it is possible to recover ransomware files without the need for the adversary’s private key [here]:
Overall, the Rhysida ransomware uses a fairly standard approach to the encryption of files, and where a random symmetric key (from AES-CTR) is used to encrypt the files. This random key is then encrypted with the adversary's RSA-4096 public key:
The encrypted symmetric key is then added to the encrypted file, and where they can then discover the key used by decrypting this with their private RSA-4096 key. After the target has paid the ransom, the adversary can then send back the correct AES-CTR key to the target and then use this to recover the files. It would be almost impossible to recover the symmetrical key used, as RSA-4096 and AES-CTR are strong encryption methods.
The core method used by the ransomware is to generate a 32-byte (256-bit) symmetric key…