MITRE ATTACK: T1468 – Data Encrypted for Impact
Written By: Austin Miller
Encrypting data to force an organization’s hand has been a part of the adversary’s arsenal since the late 80s, but advanced techniques are now causing ransomware to one of the top concerns for CISOs and other security leaders. By combining otherwise legitimate and common encryption practices and algorithms, threat actors not only shut down business operations but also hold sensitive data such as PII and PHI to hold extortion over the victim’s head.
Although the tactics of techniques of the adversary have changed since the first ever “ransomware” – the brainchild of the eccentric Dr. Popp, who would later avoid prosecution for his malware by wearing a cardboard box to protect himself from radiation – the most damaging ransomware use similar techniques that consistently work against everyone from unsuspecting home users to governmental institutions.
How is data encryption used by the adversary?
WannaCry. Nefilim. Cryptolocker. RangarLocker. It’s not hard to build a rogue’s gallery of ransomware that has caused havoc for security professionals, business leaders, hospital staff, and other would-be victims. But thanks to poor reporting in the mainstream media and some presupposed knowledge from some technical repositories, the question “how do ransomware gangs use encryption?” goes unanswered.
In truth, they aren’t doing anything special. They use symmetric encryption, asymmetric encryption, or a hybrid of the two to lock down the systems of their victims. As noted in the Red Report, there are 37,987 existing samples of ransomware that largely use the same techniques, generally only varying in their choice of encryption method.
Symmetric encryption and ransomware
Desirable due to its speed and simplicity, symmetric encryption was initially popular for encrypting files on a victim’s machine. However, this technique no longer works and hasn’t since the first “proto-ransomware” appeared in 1989. Dr. Popp’s AIDS Trojan – which worked by loading software to a machine and then encrypting all files after it had been restarted 90 times – was quickly remedied by security researchers, allowing the victims to avoid the modest $189 unlocking fee.
<AIDS Trojan>
Because the secret key used to decrypt the files is stored on the victim’s machine, all it takes to fix the problem is an eagle-eyed security researcher who has spotted the key. From this point, it just takes some backwards engineering to create a tool that decrypts the files.
Although this method is unsuccessful alone, symmetric encryption algorithms such as AES, DES, 3DES, Salsa20, ChaCha20, and Blowfish are still used by the adversary to this day.
Asymmetric encryption and ransomware
By introducing a private key and a public key, the adversary using asymmetric encryption now has a stronger position when a machine is inflected. Not only is the final piece – the private key – of the ransomware puzzle in the hands of the ransomware gang, but different public keys can be generated for each machine. This means the painstaking task of analyzing the public key may actually only get a security professional a little closer to unlocking a singular machine as opposed to cracking the entire code.
But this method isn’t watertight for the threat actor either. Asymmetric encryption is slower than its symmetric counterpart, meaning that IT teams with their finger on their network’s pulse may intervene before the adversarial attack takes hold.
We see a lot of asymmetric encryption methods today, mainly RSA. But just like symmetric encryption, it’s not generally used on its own.
Hybrid encryption
This is the chosen approach of the modern adversary – using a combination of symmetric and asymmetric techniques to cover the weaknesses of the respective techniques when separate. This means that the adversary almost always uses a combination of a symmetric method and an asymmetric method. Three particularly infamous ransomware examples use the following algorithms:
| Ransomware | Symmetric encryption algorithm | Asymmetric encryption algorithm |
| Nefilim | AES | RSA – 2048-bit |
| REvil | Salsa20 | RSA – 2048-bit |
How does the adversary use cryptographic keys?
Although a growing number of encrypting malware samples are targeting Linux or macOS using languages such as Go, the vast majority of ransomware attacks take aim at Windows machines. Thanks to the suite of tools included with Windows systems, living off the land (LotL) attacks are easy for ransomware gangs to important cryptographic keys and encrypt files easily.
For example, Nefilim uses the Microsoft Enhanced Cryptographic Provider to important the keys and then encrypt data. By leveraging Windows APIs for symmetric and asymmetric algorithms, the adversary always has an easy way to cause havoc on a system.
How do I defend my systems?
Standard defences against ransomware is always recommended for countering malicious encryption, but the MITRE ATT&CK framework offers two mitigations that will help your resistance against the adversary:
