Cybercrime Future Tech
Yildiz Culcu
, ,

Ever wondered what is being held for ransom in a ransomware attack? A little guide to the practice of Cyber outlaws.

My favorite Video Game is Read Dead Redemption 2. Yeah, it’s strange but I like watching Outlaws robbing, shooting, and holding people ransom. Remember folks, it’s just a game, don’t worry. However, in the realm of cybersecurity, I am always again fascinated and humored by the analogies people use to describe hacker attacks. In another article, published on OSINT.blog, I talked about Trojans and the analogy of these hacker attacks to Greek Mythology. As a German-speaking person, it took me a while to realize that ransomware attacks, refer to holding something (in that case not people ransom), So why not write an article about it?

Ransomware attacks are typically conducted in the following steps:

  1. Infiltration: Imagine ransomware as a sneaky burglar who slips into your house when you accidentally leave the door open (clicking on a suspicious link).
  2. Unleashing Chaos: Once inside, this burglar swiftly changes all the locks in your house (encrypts your files), effectively locking you out.
  3. The Ransom Call: Then, the burglar yells from inside your house, “Hey, I’ll give you the new keys (decrypt your files) if you pay me!” The price can range from a few hundred dollars for a small house (individual device) to millions for a mansion (large corporation). Some burglars might even threaten to auction off your favorite painting (release sensitive data) if you don’t pay up.
  4. Showdown and Salvation: Paying the burglar might get you the keys, but there’s no guarantee. However, most of these digital burglars tend to keep their word, oddly enough. They want future victims to believe that paying up will solve the problem.

On a deeper technical level, it means that the Cyber outlaws use Cryptography to make files unreadable and hold these files for ransom, demanding to be paid for a decryption key.

Ransomware attackers gain unauthorized access to a victim’s system, often through phishing or exploiting vulnerabilities. Once inside, they identify valuable files or data to target. Attackers choose a strong encryption algorithm. The choice may vary, but it’s often a well-established algorithm to ensure the security of the encryption. A unique encryption key is generated for the specific attack. In some cases, attackers use symmetric-key encryption, while others may opt for asymmetric-key encryption. The attackers use the chosen encryption algorithm, and the generated key to encrypt the identified files. The encrypted files become unreadable and inaccessible to the victim. After encrypting the files, the attackers send a ransom demand, specifying the amount and providing instructions on how to pay. They may also use pressure tactics to force a quick decision. Upon payment (if the victim chooses to pay), the attackers provide the decryption key. This key is essential for reversing the encryption process and restoring the files to their original state.

How about some vocabulary for further understanding:

Cryptography Basics:

Encryption:

  1. Plaintext:
    • This is the original, readable data that needs to be protected. In the case of ransomware attacks, it could be files, documents, or any digital information.
  2. Encryption Algorithm:
    • An encryption algorithm is a set of mathematical rules and operations used to transform the plaintext into an unreadable form (ciphertext). Common encryption algorithms include AES (Advanced Encryption Standard) and RSA (Rivest–Shamir–Adleman).
  3. Encryption Key:
    • The encryption key is a piece of information used by the algorithm to perform the encryption. For symmetric-key encryption, the same key is used for both encryption and decryption. In asymmetric-key encryption, there are two keys: a public key for encryption and a private key for decryption.
  4. Encryption Process:
    • The encryption algorithm processes the plaintext using the encryption key, producing a ciphertext. This ciphertext is a scrambled version of the original data, making it unreadable without the corresponding decryption key.

Decryption:

  1. Ciphertext:
    • This is the encrypted form of the original data, generated through the encryption process.
  2. Decryption Algorithm:
    • The decryption algorithm is the mathematical counterpart to the encryption algorithm. It uses the decryption key to reverse the process and convert the ciphertext back into plaintext.
  3. Decryption Key:
    • For symmetric-key encryption, the same key used for encryption is also used for decryption. In asymmetric-key encryption, the private key, which is kept secret, is used for decryption.
  4. Decryption Process:
    • The decryption algorithm processes the ciphertext using the decryption key, resulting in the recovery of the original plaintext.

Advanced Encryption Standard (AES):

AES, alternatively referred to as the Rijndael algorithm, is a symmetric block cipher algorithm that operates with a block size of 128 bits. It transforms these individual blocks using keys of 128, 192, and 256 bits. After encrypting these blocks, it combines them to produce the ciphertext. The process is based on a substitution-permutation network or an SP network. This network comprises a series of interconnected operations, some of which substitute inputs with specific outputs (substitutions), while others involve shuffling bits (permutations). To illustrate, consider a block of plaintext data. AES will take this data and encrypt it using a key (for instance, a 128-bit key). The outcome is a block of ciphertext. If you wish to decrypt this ciphertext, you would employ the same 128-bit key. This is the reason it’s termed a symmetric algorithm – the identical key is utilized for both encryption and decryption.

How Hackers Know How to Encrypt Files:

  1. Cryptography Knowledge:
    • Ransomware attackers often possess a deep understanding of cryptography principles. They may acquire this knowledge through self-learning, online resources, or even collaboration within cybercriminal communities.
  2. Previous Ransomware Variants:
    • Some attackers study and learn from previous ransomware variants. They may analyze the techniques used in successful attacks and adapt or modify them for their own purposes.
  3. Dark Web Forums and Marketplaces:
    • Cybercriminals may share information, tools, and expertise on dark web forums and marketplaces. This underground ecosystem provides a platform for the exchange of knowledge related to hacking, including cryptography.
  4. Specialized Tools:
    • In some cases, attackers leverage pre-existing, specialized ransomware toolkits that come equipped with encryption capabilities. These toolkits are designed to be user-friendly, allowing even those with limited technical expertise to execute ransomware attacks.

Sources:

https://www.techradar.com/features/what-is-ransomware-and-how-does-it-work

Holding files for ransom. The Outlaws of the digital world.

Yildiz Culcu

Hi, I'm Yildiz Culcu, a student of Computer Science and Philosophy based in Germany. My mission is to help people discover the joy of learning about science and explore new ideas. As a 2x Top Writer on Medium and an active voice on LinkedIn, and this blog, I love sharing insights and sparking curiosity. I'm an emerging Decision science researcher associated with the Max Planck Institute for Cognitive and Brain Sciences and the University of Kiel. I am also a Mentor, and a Public Speaker available for booking. Let's connect and inspire one another to be our best!

Post navigation