How can security experts unravel ransomware

• Based on the lawless practices of hackers, a growing number of security experts are working with law enforcement to provide free decryption tools.
• Ransomware decryptionists develop tools in several primary ways: reverse engineering the error, working with law enforcement, and collecting publicly available encryption keys.

The age of rampant hacking

Hackers use ransomware to track every industry, charging as much money as possible to access victims’ files. It’s a lucrative business. In the first six months of 2023, ransomware gangs defrauded their targets of $449 million.
Increasingly, though, security experts are partnering with law enforcement to provide free decryption tools

Also read: Hackers never seem to be satisfied with cryptocurrency theft!

Several common solutions

There are several main ways ransomware decrypters develop tools: reverse-engineering errors, working with law enforcement, and collecting publicly available encryption keys. The length of this process depends on the complexity of the code, but it usually requires information about the encrypted file, the unencrypted version of the file, and the server information provided by the hacking group.

“Just having the output encrypted file is usually useless. You need the sample itself, the executable file, “said Jakub Kroustek, head of malware research at anti-virus enterprise Avast. It’s not easy, but when it works, it does bring benefits to the affected victims.

Ransomware decrypters will use their knowledge of software engineering and cryptography to obtain the ransomware keys and create a decryption tool from there, Kroustek said. More advanced encryption processes may require a brute force break, or an educated guess based on the available information. Sometimes, hackers use pseudo-random number generators to create keys. A true RNG would be random, but that means it’s not easy to predict. As van der Wiel explains, a pseudo-RNG may rely on an existing pattern in order to appear random when in fact it is not – for example, the pattern may be based on when it was created. If researchers know one part of it, they can try different time values until they infer the key.

But getting the keys often requires working with law enforcement to get more information about how a hacking group operates. If the researchers were able to obtain the IP address of the hacker, they could ask local police to seize the server and obtain a memory dump of the server’s contents. Or, if hackers use proxy servers to mask their location, police may use traffic analysis tools like NetFlow to determine where the traffic is going and extract information from it, Vanderwiel said. The Budapest Convention on Cybercrime makes cross-border crime possible because it allows police to urgently request images of servers in another country while waiting for an official request to go through.

Also read: $674M crypto recovered of $2.6B stolen

Working with law

Worked with law enforcement to help Cisco Talos create a decryption tool for Babuk tortilla ransomware. This version of ransomware targets healthcare, manufacturing and national infrastructure, encrypting victims’ devices and deleting valuable backups. Avast has created a universal Babuk decryptor, but the tortilla strain has proved difficult to crack. Dutch police and Cisco Talos worked together to arrest those behind the virus and in the process obtained the tortilla’s decryptor.

In general, experts can’t share too much information about the process without giving ransomware gangs the benefit of the doubt. If they reveal common errors, hackers can use it to easily improve the next ransomware attempt. If the researchers tell us what encrypted files they’re working on, the mob will know they’re on to it. But the best way to avoid the above is to be proactive.