Types of ransomware encryption
To understand how to prevent ransomware encryption, we should first have a look at how ransomware encrypts files and which are the major types of ransomware encryption.
1. Replacers – ransomware variants that replace existing content with the corresponding encrypted content in the same file
Such variants limit the entire process to reading and writing to a file. They do not perform file delete or file create / rename operations. The ransom notes are within the compromised files themselves, appended to the encrypted content.
The basic encryption process consists of the following:
- read file content;
- encrypt the content in the memory;
- delete read content;
- write encrypted content;
- repeat until the entire file is encrypted.add ransom note content at the beginning of the file.
The files attacked by such ransomware have their extension preserved and when analyzing the contents of a compromised folder, it looks the same as a healthy folder. It is just the file contents that are encrypted. This means in lack of tools to prevent ransomware encryption, one only realizes that there is an attack when opening a corrupt file. This means it takes more time to detect such attacks and, consequently, more files are lost.
Example of replacer ransomware encryption
Spora is a ransomware variant that follows the “replacer” pattern. You can read more about it in our dedicated material.
How to prevent ransomware encryption for replacers
To prevent ransomware encryption performed by replacers, you need dedicated anti-ransomware technology that detects the simple flow of operations and is able to identify it as malicious. Technologies that only look at file dynamics and are content unaware have a lower chance of detecting such attacks. Hence, a good solution takes into consideration what happens with file contents in the memory, and how that correlates with the basic file operations occurring at the time. Such variants are more difficult to detect than generic ransomware that uses other files to store the encrypted content.
2. Generic ransomware – follows the general approach when it comes to encrypting files.
Such variants use the most widely spread encryption technique: they create new files containing the encrypted content and delete (or safe-delete) the original files. They perform more file operations and less in-memory operations. Content is transferred to memory, encrypted and placed in a new file, while the original file is removed.
The basic encryption process consists of the following:
- read file contents;
- encrypt the content in the memory;
- create a new file;
- write the encrypted content to the new file;
- append a “signature” extension to the new file to show that it has been compromised;
- continue until the entire original file is encrypted;
- delete the original file;
- some ransomware also removes the shadow copies or perform zero-write operations on the associated sectors of the hard drive, to prevent the recovery of the original file
As can be seen, such variants have a larger signature on the target machine. They perform more operations in a more complex pattern, involving security-sensitive operations such as file deletion. Although difficult to detect, such variants have a bigger chance of triggering alerts by the user operating the target machine, or by security software. When looking at a folder containing compromised files, the user may realize the fact that there are anomalies, files with weird extensions, ransom notes with relevant titles, etc.
Examples of normal ransomware encryption
The Crysis ransomware family exhibits the above behavior when it comes to encrypting user files. Read more about it in our dedicated article.
How to prevent ransomware encryption for normal ransomware
To prevent ransomware encryption for normal ransomware you need anti-ransomware technology capable of identifying the associated pattern described above. This involves watching for new files being created, files being deleted, and interpreting the rest of the file operations, to filter out false positives and only point out ransomware activity.
3. Ransomware attacking the entire HDD volumes (full disk encryptors)
Another important variation of ransomware is the one that encrypts the entire HDD volume. To do so, it first boots up its own code instead of the operating system, then applies a full volume encryption of the partitions. Such ransomware is impossible to detect during the encryption process simply because, at that point, the operating system does not run. Nor do any security applications. Hence, such ransomware must be stopped before it is able to boot up its own boot code.
Typically such ransomware performs the following operations:
- modifies the Master Boot Record to load its own code at next reboot;
- causes a critical “stop” error in the system, to trigger a reboot;
- on reboot, the ransomware code will boot up instead of the OS;
- the ransomware code applies volume encryption to the HDD;
- a ransom note is displayed.
Obviously, the computer operating system does not boot up again until the ransomware is removed. Typically such ransomware does not successfully carry out the recovery process. There are various combinations of such behavior, with wiper-like behavior or with normal ransomware. An example of ransomware attacking the MBR and applying full disk encryption is HDDCryptor.
Examples and variations of full disk encryption
A combination between a wiper and a full volume encryptor would alter the partition table along with performing the full disk encryption. An example is the RedBoot ransomware.
Double encryption: a combination between normal ransomware and full disk encryptor. Such variants would apply both file level encryption and disk level encryption to the target machine. A good example in this respect is Petya ransomware.
How to prevent ransomware encryption for boot ransomware
To prevent ransomware encryption by full disk encryptors, you need anti-ransomware technology able to detect and block malicious attempts to modify the Master Boot Record. At the same time, this technology needs to be able to identify legitimate attempts to modify the MBR and allow the changes to take place. If such ransomware is not stopped before the MBR is compromised, it is highly unlikely that anything can be done to recover at a later stage.
In general, ransomware use two types of encryption: symmetric and asymmetric, with various key strengths and algorithms. Let’s have a look at both types and then see how they are being used by ransomware:
Symmetric-key algorithms use the same key to encrypt the plain-text content, and to decrypt the ciphertext (encrypted content). The advantage of these algorithms is their speed. The are much faster than the asymmetric-key algorithms. However, speed comes at the cost of strength, and usually symmetric encryption algorithms may be easier to decipher.
Well-known examples of symmetric-key algorithms are Blowfish and AES. Both use the same key for both the encryption and the decryption processes. Also they are commonly used by ransomware, such as Gobe ransomware, that uses Blowfish to encrypt file contents. Security vendors attempt to reverse engineer such ransomware and in many cases, they successfully build decryption tools.
Asymmetric-key algorithms use a pair of keys to perform the encryption and decryption processes. First content is encrypted using the public keys, which may be disseminated as they cannot be used for decryption, and then the content is decrypted using the private key known only to the owner of the process. Such algorithms are very difficult to break, and hence safer than symmetric-key algorithms, but they are slower and might not be a feasible option for ransomware, where speed of encryption is crucial for the success of the infection.
A well known examples of asymmetric-key algorithm is RSA, used by ransomware like Cerber. Cerber uses three layers of encryption, two of them based on RSA. So far no decryption tools are available for properly written ransomware based on asymmetric encryption.
Combinations of symmetric and asymmetric encryption
The strongest ransomware out there uses multiple layers of encryption and combinations of symmetric and asymmetric algorithms. Such an example is CryptoLocker, that uses symmetric encryption for the content (256 bit AES), but then adds another layer of asymmetric encryption to encrypt the symmetric keys (RSA). Similarly, Cerber uses symmetric encryption for the contents of files (RC4) and then adds another two layers of encryption to protect the symmetric keys (RSA).
By combining the symmetric and asymmetric encryption technologies, ransomware have the benefit of speed when encrypting file contents by the thousands, and also have the benefit of strength by protecting the symmetric keys with asymmetric encryption, a one time operation. It is a smart way to counter the minuses of both encryption methods by combining them in complex encryption functionality.
Why is it important to prevent ransomware encryption?
There are ransomware victims who believe it is easier to pay a ransom and get the files back. It is an appealing way to manage the crisis of a ransomware incident. In theory, you get the files back in hours, and you may be up and running again within the same day.
However, the reality is different. Successful recovery by paying the ransom is statistically rare. In many cases, something happens and the files are not entirely recovered. In those cases where files are recovered, there is still much more downtime than anticipated. Here are some types of ransomware that prove attackers do not always intend to give you the files back:
Ransomware that encrypts files, but does not allow recovery either from technical reasons – there are bugs in the code that make recovery impossible – or because of IT infrastructure issues on the side of the attackers.
Ransomware that simply destroys data without any intent to ever recover it. Such ransomware may use encryption without implementing any decryption functionality, or simply deletes files (case in which they are called “wipers”). An example of such ransomware is ExPetr/Petya/NotPetya.
Hence, relying on cybercriminals to restore data is obviously not the best way to go. This is the first reason why you should prevent ransomware encryption. The best way to minimize the impact of ransomware attacks is to prevent them in the first place. For good prevention, a combination of software solutions and security processes must be adopted in a multi-layered security strategy. For best results in preventing ransomware encryption, such strategies should contain:
- employee security awareness training;
- antivirus technology;
- anti ransomware technology;
- email security solutions;
- patch management and vulnerability assessment solutions.
TEMASOFT offers anti-ransomware technology able to identify all types of ransomware encryption and can also allow file restore in the unlikely case when the ransomware attack is not stopped.
What to do when ransomware prevention fails
In case ransomware prevention fails, you may find recovery tools online or recover from a backup.
- search for decryption tools and advice online. One of the best resources in this respect is the NoMoreRansom website. If you are able to find decryption tools, there is a big chance you can recover the data;
- recover the files from a backup; this means you lose the files changed between the last backup and the ransomware attack, but it is still a way of being up and running relatively fast.
- if you have anti-ransomware technology installed, that is also able to recover data, use the vendor specific data recovery procedures.
For more information, follow us on social media and subscribe to our newsletter.