Ransomware assaults have been the misery of corporate IT administrators and their CEOs for more than 20 years, and they are a major area of study for cybersecurity experts. Such intrusions have becoming more common due to an underground market for hacking and encryption tools, but happily a recent instance demonstrates what we can learn from attackers who aren’t skilled at what they’re doing.
Ransomware is nearly hard to remove after it has been properly distributed, unlike other cyber annoyances like viruses, which reproduce and create havoc, or denial of service attacks, which bring networks to a screeching halt. That’s because they encrypt the files and the only way to decode them is with a special decryption key.
Most victims just wipe out the data and reinstall their computers using backups rather than attempting to reverse this encryption. If the target has solid data processes, this may take days or weeks and yet cost millions of dollars. If there are no secure backups, it might not be practicable. And that’s what ransomware attackers are counting on: that a victim will pay to obtain a copy of the digital key, which can decrypt the data and bring everything back to normal, because the costs associated with recovering systems are so expensive.
The smart cybersecurity experts who can find beginner errors in malware code and reverse the encryption without having to pay the attacker a cent is something that hackers do not wager on.
The X-Force team of International Business Machines Corp. did exactly that. CyCraft Corp., located in Taipei, also discovered the bugs and provided free decryption tools.
The researchers described how they discovered a bug in the Thanos family of ransomware in a post on IBM’s Security Intelligence website and a recent presentation at the RSA Security Conference. An alter ego of Thanos known as Prometheus is thought to have hit at least 30 people in the financial, manufacturing, and logistical sectors.
Everything revolves on chance. This characteristic is one of the most crucial components of effective encryption since encryption-decryption keys, which are often provided as a pair that is mathematically linked, depend on being very hard to guess. Additionally, because these digital passwords are so lengthy, it is impossible to conduct a brute-force attack, which involves scanning through all possible combinations in search of the one that works.
Unfortunately, because it goes against their nature, robots are awful at randomization. (Computers are very predictable; given the same inputs and running the same system, the same output will always be produced.) Computer scientists have thus created pseudorandom number generators that resemble real randomness in order to provide randomly generated keys. When utilised properly, these software tools may produce strong passwords and encryption keys quite effectively.
But Thanos’ authors misapplied these resources. Instead, they hard-coded one portion of the procedure and exploited the target computer’s very predictable clock time for another.
Researchers just needed to determine how long the machine had been operating before the virus was installed after discovering the initial section of the code (a series of digits numbering from one to eight). They needed a little more investigation and trial and error, but finally they were able to make reasonable estimates. The next step was to simply combine the numbers to see if they could be used to generate a matching cryptographic key. They did, too. The malware’s super secret key wasn’t as difficult to figure out as its creators had thought.
The case of Thanos’s flawed encryption tells a lot about contemporary hacking, in addition to describing some brilliant investigative work by the cyber-intelligence community. First, as researchers are well aware, a significant portion of this malicious software gets redistributed across a sizable group of would-be attackers, many of whom are unfamiliar with the tools they are employing.
Additionally, the creators of malware programmes and those who break into computer systems, two frequently separate organisations, aren’t always authorities in their domains. It’s a relatively simple error to use a hard-coded initialization vector. As a result, faults are often encountered and provide researchers with the type of digital fingerprints they require to monitor and counteract evolving threats.