Black Hat 2015

Black Hat 2015: Ransomware not all it’s cracked up to be

Ransomware is readily detectable and some types can be forced to cough up frozen data without paying the ransom, researcher says


All ransomware is not created equal and therefore should not be universally feared, a researcher will tell the Black Hat 2015 conference this week.

Engin Kirda

Engin Kirda

In fact, some ransomware – which locks up infected computers until a demanded sum is paid – makes false claims about the damage it is capable of doing, and some of the data it purports to seize can be recovered, says Engin Kirda, the cofounder and chief architect at Lastline Labs.

+ ALSO ON NETWORK WORLD:  Read all the stories out of Black Hat +

For example, certain families of ransomware threaten to delete files, but the method they use to do so doesn’t securely wipe them from the disk, he says, and as a result, “there is a good chance that the deleted files can be recovered.”

Some ransomware – notably Cryptolocker and Cryptowall – do a good job of encrypting data until victims pay to get it decrypted, he says. “However, many other ransomware families also exist that do a bad job in cryptography,” he says in a white paper he’ll release at the conference.

He found a variant of Gpcode ransomware that used a static key that can be recovered by comparing the encrypted files to the originals and unlocking the encryption. Similarly, TeslaCrypt said it was using asymmetric RSA 2048 encryption, but it wasn’t. Instead it used symmetric AES encryption, and that has been successfully broken, he says. “Don’t assume ransomware means everything is gone forever,” he says.

In a corporate environment a good way to stop ransomware is to catch it at a security gateway before it has the chance to infect endpoints, Kirda says. That can be done because the malware has to perform certain detectable functions in order to do its damage. It has to repeatedly work on files in different drives and directories, something that can be readily detected when a ransomware sample is being analyzed. And ransomware announces itself to the victim in order to demand payment. That, too, is a feature that is apparent under analysis, he says.

He looked at 1,359 active ransomware samples that were observed in the wild between 2006 and 2014. Of those, 61% only targeted the desktop of victim machines, not any documents in the file system. They used a mix of custom and standardized encryption systems, such as CryptoAPI in Windows systems. “After all these libraries are widely available, and they are easy to use,” he says.

Must read: Hidden Cause of Slow Internet and how to fix it
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies