Jump to content

How does Ransomware encrypts files


Pjans
 Share

Recommended Posts

Hi everyone, I have a question about how ransomware works.

According to the authors of this paper:

https://www.cise.ufl.edu/~traynor/papers/scaife-icdcs16.pdf

(page 2 - 3) , class C is: ransomware reads the original file, then creates a new, independent file containing the encrypted contents and deletes or overwrites (via a move) the original file. This class uses two independent access streams to read and write the data.

Could someone explain this a bit more? Because what I'm wondering is: ransomware opens the original file, then creates a new independent file (okay, so far so good), then copies the unencrypted content from the original file into the new file(?), encrypts it (so it encrypts the content of the new file) and overwrites or deletes the original file? Or does it encrypt the content of the original file, copy the encrypted content to the new file and then delete the original file?

It seems to be quite similar to scenario 3 of this file (page 6): 

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_kharraz.pdf

 

and one more general question: Is it possible to encrypt a file without opening it? So without creating an IRP_Read or IRP_Create?

Thank you very much.

Edited by AdvancedSetup
Disabled live hyperlink
Link to post
Share on other sites

Basically Encryption scrambles a file.  Forget anything about a "copy."  That scrambled file is based upon an algorithm and a Key.  That Key is used to scramble the file and is then used to unscramble the file back to its original format.

Different algorithms using the same Key will derive a different outcome.

  • Like 1
Link to post
Share on other sites

2 minutes ago, JohnJohn409 said:

Thanks for that knowledge I am kind of going through this problem now. I had my C: drive hidden from me it was still on my system becasue I was able to find it by othet means I just no longer had access to do anything to it. 

Your issue is not ransomware. Please continue to work in your other topic to deal with your issue. No response to my post is needed, thanks.

  • Haha 1
Link to post
Share on other sites

Hiding a Hard Disk is a different story.  Encrypting a drive either means the tree structure is present but all or most files (depending on their File Extension) are scrambled or in the case of a Solid State Drive its Key was altered and its contents are no longer accessible.  The other case is that a System Policy can be set where the OS will be deny seeing  a particular Drive Assignment.  For example a Policy can be set denying the view of Drive "E:".  It is possible to disable or remove that Policy and regain access to Drive "E:" or through Disk Management one can change the drive assignment to "F:" and then see the drive again but still not be able view anything that is subsequently assigned Drive "E:" such as removable media.

@Porthos indicates you have another, working, thread.  Please finish that thread before returning to this discussion.

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites

4 hours ago, David H. Lipman said:

Basically Encryption scrambles a file.  Forget anything about a "copy."  That scrambled file is based upon an algorithm and a Key.  That Key is used to scramble the file and is then used to unscramble the file back to its original format.

Different algorithms using the same Key will derive a different outcome.

@David H. Lipman thank you for your answer, but it isn´t really what I´m looking for. You´re right of course, crypto-ransomware encrypts files and can use different symmetric/asymmetric key (pairs), but the thing is... there are severak ways in which it can encrypt a file: please have a look (if you have time) to the end of page 2 of this paper (and the beginning of page 3): 

https://www.cise.ufl.edu/~traynor/papers/scaife-icdcs16.pdf

 

Edited by AdvancedSetup
Disabled live hyperlink
Link to post
Share on other sites

Yes.  There are numerous algorithms. I have seen it and lived it.  I remember Cryptovirology was described in an IEEE paper and approx 10 years later the first predictive file encrypters were implemented.  Then came the requirement for FIPS-140-2 compliance.  Once Microsoft created their CryptoAPI that was compliant with FIPS-140-2  cryptovirology was made "easy" for the masses.

References:
https://en.wikipedia.org/wiki/FIPS_140-2

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.