Ransomware encryption does not work differently from the device and software encryption that provides data security. Understanding how it works is crucial for cybersecurity professionals and business leaders as the threat landscape continues to evolve with increasingly sophisticated attacks.
Ransomware is a dangerous type of malware that encrypts data and demands a ransom payment from the decryptor. Current ransomware developers are using the double extortion tactic, where the data is encrypted and threaten to leak it on their Tor website. Therefore, preventing ransomware and updating backups is the safest method to guarantee your data is secure.
Although your IT team or the cybersecurity service you hire can work to decrypt the files, it’s not always a hundred percent guaranteed since your files can become corrupted. Knowing how ransomware encryption happens can clarify and help you understand the importance of prevention and applying cybersecurity best practices to your business.
What is encryption?
Encryption is not a recent development. The Roman Empire used encrypted messages during its military campaigns, and during WWII, countries would send messages through encrypted messages (“The Imitation Game,” a film from 2014 directed by Morten Tyldum, is a good movie on the subject). Since the beginning, encryption has been a secure method of sharing information when it has to go through a public and non-secure medium, such as the public Internet.
However, the same method used to secure your data is used to block your access to it when ransomware enters your network.
Therefore, if it’s nearly impossible for cybercriminals to access your encrypted files, it’s equally challenging (if not impossible) to recover ransomware-encrypted data without the key provided by the hacker gang.
Important: DO NOT PAY THE RANSOM. Even though they promise the decryptor, it does not always happen, and you might pay the cybercriminals and still not receive your data.
Ransomware encryption methods
There are two encryption methods: symmetric and asymmetric. They differ in levels of complexity and security. Hackers rarely use symmetric encryption because, although it is faster, it is also more vulnerable and easier to crack.
Symmetric encryption
Symmetric encryption is a simple way to encrypt data in which both the sender and the receiver use the same letter in the same fixed number of positions, called the “key.” The key is kept secret, and only the sender and receiver have it.
Symmetric encryption has two main ways to work: block ciphers and stream ciphers.
- Block ciphers encrypt data in byte-sized blocks using the same key. The Advanced Encryption Standard (AES), established by the U.S. National Institute of Standards and Technology (NIST) in 2001, is an example of a block cipher.
- Stream ciphers encrypt each digit of the plaintext at a time using a pseudo-random key stream, so each bit of the data has a different key. Salsa20 and ChaCha are stream ciphers widely used for secure communications protocols due to their efficiency and resistance to timing attacks. They are employed in various operating systems for tasks like random number generation and authenticated encryption, making them suitable for software and hardware implementations.
Asymmetric encryption
Asymmetric encryption is a more complex encryption method. It has two keys: a public key and a private key. When developers use a public key to encrypt the data, it can only be opened using a private key. Also, only the public can decrypt when encryption happens using a private key. This is good for cybersecurity and data privacy solutions since only the one who created the encryption can decrypt it, which also allows authentication.
However, asymmetric encryption is also hackers’ favorite to encrypt data via their ransomware.
To make things even more complicated for the victims, cybercriminals are developing more complex malware that combines symmetric and asymmetric encryption—hybrid encryption processes.
Hybrid encryption
Modern ransomware typically employs a hybrid approach combining both symmetric and asymmetric encryption. Here’s how it works:
Initial setup:
- The ransomware generates a unique RSA key pair for each infection
- A public key from the attacker’s command and control server is embedded in the malware
Encryption process:
- Files are first encrypted using fast symmetric encryption (typically AES)
- The symmetric keys are then encrypted using asymmetric encryption
- This two-step process allows for rapid file encryption without requiring constant internet connectivity
Key management:
- The ransomware creates client keys (Cpub.key and Cpriv.key)
- Server keys (Spub.key and Spriv.key) are managed by the attackers
- The client’s private key is encrypted using the server’s public key
- All session keys are secured using the client’s public key
Common encryption algorithms
Cybercriminals use several encryption algorithms—initially created for security and privacy—to infect businesses’ networks and extort them. However, most ransomware developers use custom-made encryption methods.
Here are six of the most common encryption algorithms:
Advanced Encryption Standard (AES)
AES is a secure and trusted encryption algorithm used by the U.S. government. It is considered a strong encryption that can protect data from attacks.
Triple Data Encryption Algorithm (Triple-DES)
The Triple-DES uses symmetric encryption. This is a slow encryption and decryption method, yet several financial organizations use it to keep their data safe.
Blowfish
Blowfish is a symmetric block cipher. It has a reputation for speed and flexibility, and it’s unbreakable. It is neither patented nor licensed, which means it’s a free public encryption software open to any user. Many e-commerce sites rely on Blowfish to keep payment details and passwords secure.
Twofish
Twofish is also a symmetric block cipher that is license-free. It is an advanced version of Blowfish and has a higher security level than Blowfish.
Format Preserving Encryption (FPE)
FPE is a new encryption algorithm that preserves the data’s structure while encrypting, so your file will remain the same after decryption.
Rivest–Shamir–Adleman
If you’re looking for a way to encrypt your files for extra protection, the RSA encryption algorithm should be at the top of your list. It is an asymmetric encryption algorithm and is considered the best.
How ransomware encryption works
Now that we have reviewed encryption methods and algorithms, we can explore how ransomware groups encrypt your data during an attack.
When ransomware infiltrates a network through a vulnerability, threat actors deploy their payloads to the compromised computer. The malware often remains dormant in the system until triggered. Once activated, it employs sophisticated encryption algorithms, typically asymmetric or hybrid, to rapidly encrypt data while executing additional malicious activities.
An exceptionally sophisticated technique employed by modern ransomware strains is intermittent encryption. This method:
- Encrypts only portions of files (typically every 16 bytes) rather than the entire file
- Minimizes input/output (I/O) disk operations to avoid detection
- Often operates without connecting to command and control servers
- Results in partially readable files while successfully evading detection
- Bypasses traditional static analysis methods used by security software
Make sure to contact a cybersecurity service to make sure your network security has no vulnerabilities and that your data is secured. In case of a ransomware attack, contact a ransomware removal service to increase your chances of successfully removing the infection; close backdoors that attackers can use to reenter the system and restore the encrypted files.
