Crypto-Ransomware: When Encryption Breaks Bad

Malware just isn't what it used to be. Back then, all one needed was to run an anti-virus solution or follow a step-by-step to remove malicious files and get rid of its effects. Ransomware isn't that easy to solve though. Created to lock a system or hold certain files hostage until a ransom is paid, ransomware schemes are designed to force an all-or-nothing gamble on its victim—one that ensures that either the malware operator gets paid, or the victim loses important files.  

While earlier ransomware variants, particularly those that simply locked the computer screen, could be resolved with a solution like Trend Micro's AntiRansomware Tool 3.0, newer and more evolved types aren't that easy to crack. In fact, crypto-ransomware—a type of ransomware that restricts user access by locking the system and encrypting certain files—is sort of a cybercriminal "checkmate" that leaves its victims having to make a difficult choice.

[Watch: Ransomware in action, from infection to extortion]

These ransomware variants are designed to leverage the power of modern encryption. Originally developed to protect data and communication, these encryption methods use an algorithm that scrambles the encrypted files so that they only be accessed or read by someone with a decrypt key.

CryptoLocker, one of the earliest and most popular crypto-ransomware variants, uses RSA public-key cryptography, which is a system that involves the use of two keys: a public key that encrypts files in the victim's system and a private key—one that's presumably kept by the malware's operator—to decrypt it. There's simply no way to go around it. Without the decrypt key, the files will remain encrypted even after the malware that initially caused it has been removed.

[Ransomware 101: How users get infected, and how it works]

Encryption algorithms were developed to protect data from unauthorized access. Unfortunately, crypto-ransomware is using it against innocent victims.

What makes crypto-ransomware so dangerous is the fact that they're using encryption methods that are designed to be unbreakable, which is why security vendors can't just create a tool for decrypting files. It's practically impossible to do without the decrypt keys, and it's highly unrealistic for anyone to create a "super decrypting tool" that can figure out every algorithm method—or one that can store every possible decrypt key—used by all the possible ransomware variants.

It should also be noted that if it was possible to develop a tool that can crack sophisticated encryption algorithms, the world would be in bigger trouble. Everyone, from governments and businesses, down to personal email accounts and mobile communications, uses encryption in one way or another.  Encryption algorithms were developed to protect data from unauthorized access, after all. Unfortunately, crypto-ransomware is using it against innocent victims.  

[More: Encryption 101 – What it is, and how it works]

Can encrypted files be decrypted without paying the ransom? It ultimately depends on how good or thorough its creator was, and if it can be cracked in time. Crypto-ransomware-encrypted files could be decrypted if it used a weak encryption algorithm (provided that the key can be regenerated by using the same algorithm), or if the keys can be found inside the malware code or infected machine before the ransom deadline expires. 1

Unfortunately, this is a long shot. In the constant arms race between cybercriminals, security vendors, and law enforcement, the bad guys—or at least the good ones—are unlikely to keep using methods that can be easily cracked. After all, if crypto-ransomware was that easy to resolve, it wouldn't be considered a dangerous threat, and cybercriminals wouldn't be using it that much.

Like the security solutions developed to stop them, malware also evolves. And the most "successful" ones are constantly being improved. In June 2015, we saw a known variant called CryptoWall evolve to version "3.0", which uses new methods to evade detection.

If crypto-ransomware was that easy to resolve, it wouldn't be considered a dangerous threat, and cybercriminals wouldn't be using it that much.

The scheme has become so effective that even law agencies and government offices have become victims, and they were hit so bad that these agencies were forced to pay the ransom: In April 2015, the Lincoln County Sheriff's Office in Maine and four town police departments fell victim to a ransomware attack that encrypted their hard drives. They got off relatively easy though, as they reportedly had to pay only $300.2

Paying the ransom is not recommended though, because there's no guarantee that the attackers will hold up to their end of the bargain. And even if they do, paying will only encourage more cybercriminals to pull off more attacks. It's the same reason why governments "don't negotiate with terrorists".3

Given how effective and damaging this threat is, users should be proactive and apply the same amount of precaution they would when dealing with any other virus—biological or digital. Prevention is always better than having to find a cure, after all. Security software can help prevent malware from infiltrating a user's system, and backing up critical data can mitigate the loss of having files held hostage.

[More: How to protect yourself from a ransomware attack]

Trend Micro's OfficeScan endpoint security solution has a behavior monitoring feature (OSCE 10.6 with Service Pack 3) that proactively detects threats through behavior analysis, and alerts users before executing new files—a common sign of a ransomware attack. Following the 3-2-1 backup method can also downgrade the effects of a ransomware attack from "disastrous" to simply "annoying".

[Visit our Ransomware library to find more articles on ransomware]


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.