Hello, everybody! Today, I will be teaching you all about ransomware and how it really does damage, in wake of the recent WannaCry incident. First, we will need to talk about the different encryption algorithms used, and their pros and cons.
AES is a symmetric key encryption algorithm. This means that the same key is used to both encrypt and decrypt. If it is intercepted in transit, everything can be decrypted, so a key exchange like Diffie-Hellman is used to generate and transfer it. The pro of using this method is that it is very fast, and most modern CPUs have special instructions specifically for AES encryption. This is bad for ransomware because if the key is found while it is in transit, all the files can be decrypted. Also, if the machine is offline, it will not be able to encrypt any files.
Commonly used today, RSA is an asymmetric key encryption algorithm. This means that a different key is used to encrypt and decrypt. An analogy for RSA encryption is like sending an unlocked lock to somebody who doesn't know the combination. They can make a box with their information and lock it with the lock, but only the person with the key can get the information back. This is great for ransomware because the server could have a private key to decrypt the files, and the infected computers could all encrypt the files with the server's private key. It is not great because it uses very large exponents, and therefore its encryption and decryption speeds suffer because computing them takes a large amount of time.
Solution 1: Send data to the server to encrypt
This solution gives all the data to the server for it to decrypt. This is good because at no point are the keys exposed to the user. The server then sends back the encrypted data and the infected computer deletes the old, original data. This solution is bad because it requires an internet connection and a ton of bandwidth and time, as well as computing resources for the server.
Solution 2: RSA key
This solution revolves around the idea that the server can have a private key, and the clients can encrypt data using the server's public key, and the server will send the client the private key later for decryption after payment. This solution is no good because only one person needs to pay the ransom, and everybody can have their files back. This solution is also very slow due to RSA's long encryption times. It does not, however, need an internet connection for encryption.
Solution 3: RSA and AES combined
This solution makes use of the security of RSA and the speed of AES. First, the client generates an AES key, and encrypts the files with it. It then encrypts the AES key with an RSA keypair it generates, and encrypts the private key with the server's public key. This all works offline, so no internet connection is needed. It then deletes the AES key and the RSA private key, and stores the encrypted AES key and its encrypted private key. This is like locking the key to unlock the files in a box only the server can open. Once payment has happened, the client sends the server the locked box with the encrypted AES key to the server. The server verifies the payment, decrypts the box for the client, and sends it back. The client then uses its AES key to decrypt the files. This solution is used because it works without an internet connection, it uses AES for encryption and decryption for speed, and the server's private key NEVER, EVER leaves the server. If this happens, then all the files on everybody's computers can be decrypted.
Thank you for reading! I hope this article helped you all learn something.
DO NOT MAKE YOUR OWN RANSOMWARE PROGRAM!!! This article is strictly for education and I wrote it after learning this from decompiling many ransomware programs. Be careful if you decide to do the same!