trojan81
asked on
ransomware private key
Typically when Ransomware connects out to a C2 server to obtain the private key to begin encryption, does that private key get downloaded onto the victims computer?
My thoughts are if it does reside on the victims computer, wouldn't someone be able to use that to also decrypt the files?
My thoughts are if it does reside on the victims computer, wouldn't someone be able to use that to also decrypt the files?
mbkitmgr
No
ASKER
What about situations where the Ransomware does not need to connect to a C2 server to encrypt..
Does that mean the user will have to initiate a connection out somewhere to retrieve the Decryption key? If yes, why wouldn't all Ransomware behave this way? That way they guarantee that the files will be encrypted and force the users to make the initiation to pay and retrieve the key?
Otherwise, if they the victim has to reach out to the C2 to encrypt, a lot of things could block it at this point like a web filtering appliance.
Does that mean the user will have to initiate a connection out somewhere to retrieve the Decryption key? If yes, why wouldn't all Ransomware behave this way? That way they guarantee that the files will be encrypted and force the users to make the initiation to pay and retrieve the key?
Otherwise, if they the victim has to reach out to the C2 to encrypt, a lot of things could block it at this point like a web filtering appliance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
mbkitmgr
Ok let's talk about encrypt. what is the purpose of the ransomware connecting out to a C2 to obtain a private key to encrypt? There's so many things that can block that outbound connection. Why not write the ransomware to just encrypt without connecting to a C2
Ok let's talk about encrypt. what is the purpose of the ransomware connecting out to a C2 to obtain a private key to encrypt? There's so many things that can block that outbound connection. Why not write the ransomware to just encrypt without connecting to a C2
Thats assuming it follows those "rules"
One of the law products I supported didnt encrypt the Passwords of users in its user database. If a user forgot their pwd, they could open Excel and query the user.list.table and get their password. I flagged this with the vendor and they made some changes.
They obtained a piece of code that allowed their app to encrypt the passwords before they were written to the user.list.table. Without the key you couldn't decipher what string was in the password field. If you did get the code to read the content, and used any old key, it would still process the data from the password field but instead of getting 'Password1234' you got ^FIFS(I^D&F)#P@ - as far as the code was concerned it had decrypted the data - it didnt care.
It highlighted that any one who provides types of encryption in any form may not do it by the book, and if in this case the malware seems to call a C2 server, it may just be announcing "I have another victim"
One of the law products I supported didnt encrypt the Passwords of users in its user database. If a user forgot their pwd, they could open Excel and query the user.list.table and get their password. I flagged this with the vendor and they made some changes.
They obtained a piece of code that allowed their app to encrypt the passwords before they were written to the user.list.table. Without the key you couldn't decipher what string was in the password field. If you did get the code to read the content, and used any old key, it would still process the data from the password field but instead of getting 'Password1234' you got ^FIFS(I^D&F)#P@ - as far as the code was concerned it had decrypted the data - it didnt care.
It highlighted that any one who provides types of encryption in any form may not do it by the book, and if in this case the malware seems to call a C2 server, it may just be announcing "I have another victim"
Generally, this type of ransomware will generate a seperate pair of keys for each site. It MAY use the same key for several sites. You may also get no key, files may not even be encrypted; they could just be full of garbage. Or they may just be simply hidden, moved somewhere. It basically does whatever the crooks who wrote it wants it to do.
Sending $$s to the crooks is no guarantee you will get your files back. From feedback I have, it seems about a 50/50 chance.
Sending $$s to the crooks is no guarantee you will get your files back. From feedback I have, it seems about a 50/50 chance.
ASKER
A lot of RAnsomware (the popular one) connect to a C2 to obtain the private key to encrypt.
The original question, why even have it connect to a C2 in the first place?
I will take a guess and say if they leave the private key on the malware so that it doesn't need to connect out to a C2, then someone can easily reverse engineer the key and use it to decrypt. Is that a good assumption?
The original question, why even have it connect to a C2 in the first place?
I will take a guess and say if they leave the private key on the malware so that it doesn't need to connect out to a C2, then someone can easily reverse engineer the key and use it to decrypt. Is that a good assumption?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
They victims machine info is sent to the c2 so a public and private key can be generated. the public key is used to encrypt and the private key is used to decrypt once the victim pays. is that correct?
I think you're operating on a flawed assumption that all the popular ransomware contacts a C&C server in any way. The vast majority of attacks out in the wild right now don't do any communication with C&C servers. The original Cryptolocker variants, in fact, had the private keys used to encrypt files stored in hidden folders on the victim's drive.
Only highly sophisticated Ransomware variants will generate a new key for every environment, and only moderately sophisticated variants actually talk to a C&C server for any reason. This is simply a matter of ease for the attacker. The people who design ransomware are inherently lazy people (otherwise they'd get real jobs) and having to keep track of which keys were used to encrypt which environment requires significantly more effort than most attackers are willing to put in. Most of them use one key for all environments and just change the key the next time they push out a new variant of their ransomware. This is much easier than having a C&C server control things and generate new keys every time the attack hits for a lot of reasons.
Now, the recommendation when dealing with Ransomware is to disconnect the system from the network immediately. This recommendation serves a lot of purposes, and cutting the connection to a C&C server is only one of them. It's much more important to do this to protect mapped network drives from encryption and limit the impact of the ransomware attack as much as possible. I've seen situations where people were hit with ransomware within the last 10 minutes of their work day and the attack only encrypted 2 directories in a share, plus the files on their workstation. A different attack occurred on a Remote Desktop Server when two different users opened attachments that got through the malware filter within 10 minutes of each other while using their RD sessions. Because that attack was on a server that never shut down, the attack encrypted absolutely every file on the network *twice* (Total CF there...took a week to restore the files and get them going again) because one attack encrypted the files and the second attack followed it 10 minutes later. Luckily, one variant wasn't developed properly and there was no way to contact the attacker, so the plans to pay the ransom fell through (The fact that they were planning to pay for it was against my kicking and screaming recommendations).
Only highly sophisticated Ransomware variants will generate a new key for every environment, and only moderately sophisticated variants actually talk to a C&C server for any reason. This is simply a matter of ease for the attacker. The people who design ransomware are inherently lazy people (otherwise they'd get real jobs) and having to keep track of which keys were used to encrypt which environment requires significantly more effort than most attackers are willing to put in. Most of them use one key for all environments and just change the key the next time they push out a new variant of their ransomware. This is much easier than having a C&C server control things and generate new keys every time the attack hits for a lot of reasons.
Now, the recommendation when dealing with Ransomware is to disconnect the system from the network immediately. This recommendation serves a lot of purposes, and cutting the connection to a C&C server is only one of them. It's much more important to do this to protect mapped network drives from encryption and limit the impact of the ransomware attack as much as possible. I've seen situations where people were hit with ransomware within the last 10 minutes of their work day and the attack only encrypted 2 directories in a share, plus the files on their workstation. A different attack occurred on a Remote Desktop Server when two different users opened attachments that got through the malware filter within 10 minutes of each other while using their RD sessions. Because that attack was on a server that never shut down, the attack encrypted absolutely every file on the network *twice* (Total CF there...took a week to restore the files and get them going again) because one attack encrypted the files and the second attack followed it 10 minutes later. Luckily, one variant wasn't developed properly and there was no way to contact the attacker, so the plans to pay the ransom fell through (The fact that they were planning to pay for it was against my kicking and screaming recommendations).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hi, i can help for recovery of arrow, java, arena, cezar and bip extension files, but please note that my service is not free (please contact me by mcerdem82@yahoo.com)