I’m (not) with stupid
Some ransomware authors get the cryptography right, but make web security mistakes that leave their command and control (C2) infrastructure vulnerable to attacks.
Malware researcher Sarah White of Emsisoft made this point during a well-attended talk at the SteelCon hacker conference in Sheffield last weekend that focused on the cryptographic mistakes ransomware developers have made over the years.
The MegaLocker ransomware, for example, used a random directory with no authentication on a PHPMyAdmin system.
“They should have thought again,” White said. “With a few clicks it’s very easy to find and dump all of their victims and keys.”
Old versions of GandCrab had similar problems, the researcher explained, and Spora ransomware directly displayed data it took from a user’s submitted key files on a website.
Security researchers discovered that by moving around portions of data that contain a private key into areas reserved for username and infection date, it was possible to obtain part of the malware’s private key.
Repeating this process multiple times made it possible to recover the whole key, White said.
Vulnerabilities in old versions of MySQL or other database management systems also present another potential way to hack the C2 servers of ransomware authors.
Making a hash of it
White’s talk – ‘Pouring Salt Into The Crypto Wound: How Not To Be As Stupid As Ransomware Authors’ – sought to highlight generic mistakes bad guys make in their wares in order to educate legitimate developers in avoiding the same errors.
For example, early ransomware (such as Merry Xmas and versions of Nemucod) featured use of custom algorithms.
These algorithms are often flawed – not least because they have not been tested – leaving them vulnerable to brute-force attacks, often made even easier with basic crypto-analysis.
Another class of mistake made by ransomware authors is the use of static or semi-static key – errors that cropped up in DMA Locker v1 and CryptoHost, among others.
“Strong ciphers are useless when the key isn’t secret,” White pointed out. “Obfuscators do not stop people from finding keys like this.”
Key generation mistakes, another category of cryptographic error, were made in DMA Locker v2.
“Key generation is not as easy as it looks and random isn’t always random,” White explained.
The shortcoming in DMA Locker v2 meant that it could be broken by a brute-force attack within 30 minutes on most modern systems.
Key generation mistakes are by far the most common oversights in both ransomware and real-life software, according to White.
“It’s cheaper to learn from other peoples’ mistakes than to have to deal with the issues when you’ve made your own,” she said.
Yet another way to get things wrong is key reuse – an issue for GetCrypt v1 and DMA Locker v3.
DMA Locker v3 used a single hardcoded public key. Once any one person paid, the jig was up because anybody else could use the same key to recover their data without paying malware authors a cent.
What happens when you don’t RTFM?
CryptoDefense, rebranded as CryptoWall, was a strain of malware that went on to become one of the most prolific to date, after a mistake involving failure to properly read a cryptographic manual from Microsoft.
The error made all CryptoDefense victims have the RSA key pair left on their systems, so that they keys could be readily recovered and subsequently used to restore files.
“The CryptoDefense authors would have never known that they’d made this mistake if a certain AV [antivirus] vendor didn’t release a public blog post detailing the flaw a few days after a decryptor was made,” White said.
“Never detail the flaws of an active ransomware campaign publicly because they [the cybercriminals] will take advantage of you telling them what their mistake is.”
In cases where criminals have got the cryptography, web security, and OpSec right – in the absence of up-to-date backups – victims will have little choice but to pay criminals and hope to receive a working decryptor and proper key in return.
“There’s plenty of times when they’ve either made off with the money or they’ve provided a decryptor that is faulty or doesn’t work,” White concluded.
“Sometimes it happens that the white hats end up having to make a decryptor that fixes the ransomware author’s problems.”
All of the ransomware campaigns covered by White’s talk have stopped operating, either because they cybercriminals involved have either moved on or suffered arrests or because they have moved onto peddling versions of their wares free from earlier mistakes.