RansomeWare, oh the joys it brings.

RansomeWare has been on an upward trend, notably so in Quarter 3 and 4 of 2016. The main targets shifted from phishing links with a drop of 50% (Source: Proofpoint) to RDP. According to Webroot, two thirds (66%) of Ransomeware Infections in Q1 2017 where delivered by RDP.

For those who are unfamiliar with the term, Ransomeware can be summarised as:

Ransomware is a type of malicious software that blocks access to the victim’s data or threatens to publish or delete it until a ransom is paid.

Source: RansomeWare – Wikipedia

However, RansomeWare is categorised  as a form of cryptoviral extortion; it is an act of CryptovirologyMoti Young published his findings of cryptoviral extortion (Cited entries can be read here) where the process was further discussed in 3 key phases:

  1. [attacker→victim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
  2. [victim→attacker] To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim’s data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim’s data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
  3. [attacker→victim] The attacker receives the payment, deciphers the asymmetric ciphertext with his private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.The symmetric key is randomly generated and will not assist other victims. At no point is the attacker’s private key exposed to victims and the victim need only send a very small ciphertext to the attacker (the asymmetric ciphertext).


Looking at the latest WannaCry breakout, the process can be defined as the following 5 steps:

Trend Micro – WannaCry Blog Post

The process adopted here follows the ruleset of Moti’s assumption, whilst also leveraging SMB faults to spread through networks.

Further investigation on this fault will be documented at a later stage.

On a side note, WannaKey? This tool may help recover WannaCry files.

Continue reading