CyberWire Daily - Decrypting ransomware for good. [Research Saturday]
Episode Date: October 12, 2019Michael Gillespie is a programmer at Emsisoft, as well as a host of the popular ID Ransomware web site that helps victims identify what strain of ransomware they may have been infected with, and what ...decryptors may be available. He's written many decryptors himself, most recently for the Syrk strain of ransomware. Links to the research and Michael's work: https://blog.emsisoft.com/en/33885/emsisoft-releases-a-free-decryptor-for-the-syrk-ransomware/ https://id-ransomware.malwarehunterteam.com/ https://www.youtube.com/user/Demonslay335 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
In most cases, it can be difficult. There's a lot of like reverse engineering, a lot of playing
with the ransomware. That's Michael Gillespie. He's a programmer at Emsisoft.
He's written decryptors for a number of high-profile ransomware strains,
and he runs the ID Ransomware website, along with a popular YouTube channel
where he demonstrates how he writes his decryptors.
Most recently, he wrote a decryptor for the Cirque strain of ransomware.
That's where we began our conversation.
Lots of various techniques we have to do.
Sometimes I can't even reverse it myself. I have to
kind of call upon some teammates to help me. In this case, it was honestly a very easy one to
reverse. Kind of those difficulties didn't really apply.
And what made it easy?
Honestly, part of it is just how it was built with a language called.NET. It's just a very
easy language to reverse back almost
to the exact source code. I can just put it into a decompiler and read exactly what the original
source code was. There's not a lot of going through a debugger or anything like that in
most cases. And so in this case, once you're able to do that and you see the methods that
they're using for encryption, what did you discover?
So in this one, there was a pretty, I want to say common flaw with how they handle the key.
Sometimes I have to still be vague in case they're still active.
Sure.
In this case, there's no way for me to know how active they were just, you know, based on the infection vector with it being like a fake Fortnite cheat client. It's also
one of those cases where there
might not be many victims who report that they're infected i kind of get this with there's another
ransomware that's extremely large right now that i've been fighting for over a year that
all of the victims come from kind of the same thing downloading some type of an illegal tool
or cheat thing and they're sometimes not really forthcoming about that. You know, hey, I'm a
victim. I got infected, but I was also kind of doing something dirty. Right, right, right. Yeah.
Interesting. Well, can you give us some insight, sort of the spectrum of what you run into in terms
of the range of sophistication when it comes to these folks implementing different types of
encryption technologies?
Pretty much any and anywhere. I mean, over my career, so to say, I've seen anywhere from,
you know, you get basic XORing or you have like, say, like a really sophisticated encryption scheme, kind of like the larger ProAirs usually do more sophisticated, like Tesla Crypt back in
the day was pretty advanced. It used a lot of elliptical curves. Honestly, I worked a lot with the researcher who broke that one and he actually
gave me his detailed notes on it. I understood his notes, but I don't think I'd been able to
figure that out myself. It was pretty advanced, especially when they got to Tesla Crypt 4.0,
when they fixed their flaws, they added like additional layers of complexity and it took
me a while once he gave me the notes on how he reversed that one i had a little difficulty
because it was like multiple layers of elliptical curve technology and like a ton of math you get
anywhere from that craziness that's just like kind of slightly above my head almost to um just like kind of slightly above my head almost to just like really stupid ones with like a static,
here's the exact same key is going to be used every time or just simple XORing or something
like that. They're using sort of off the shelf kind of stuff sometimes.
Yeah. In terms of like off the shelf ransomware, so to say. I have seen some that use commercial products for encryption.
One example was a campaign that I think they used the product TrueCrypt and they used it because
it's a secure, actually vetted product. And they just basically abused it, generate some random
key. And in that case, we couldn't break it because it was actually a human like on the machine running the malware, copying the key to their clipboard and back, you know, saving it back on their computer.
So it's not like the key was generated somewhere that we know of.
There's also been I believe there is one that used a library.
I can't quite remember the name, but it was another commercial encryption library.
It's somewhat common.
I mean, when it comes to using encryption, the best thing, even just in general, not for ransomware, but the best thing is to never spend your own crypto.
There have been some ransomware that are hilariously broken because they tried to invent their own crypto that didn't quite work out for them.
I see.
So they exceeded their own sophistication when it came
to being able to do that. Yeah. I mean, that's why you see a lot of ransomware, like probably
the number one algorithm you're going to see is AES because that's, you know, known to be secure
if they're generating and handling the keys right is another thing. But that's usually where we look
for a flaw. If we see that using AES and we confirm it's properly implemented, I've seen some custom
implementations of AES that were wrong.
I think one of them might have led to breaking it.
Usually if they get it correct enough, it's not decryptable, at least by breaking the
algorithm.
I see.
Well, walk me through the actual process.
When you are presented with a new strain of ransomware and you're initially taking a look at it to evaluate how you're going to go at it, just from the beginning, walk us through how you go about that.
actually make videos of how I do this. Oh, great.
Kind of from a beginner perspective. The very first one, I was pretty nervous. It was the first time I recorded like a video on my own. So I kind of stutter a bit, but I kind of do go over
the points of like from beginning, what's my thought process. And if I remember right, I had
like three main objectives in the first video. The first one is, is this a ransomware? Because
I'm just giving them,
you know, in most cases, I'm just given a executable via victim and they're just suspicious
thinking, you know, this, I think this is what infected me. It's not always the case. You know,
it might just be that their system just has a crap ton of other malware on it.
Oh, yeah.
So, the first thing is, is this a ransomware?? So I kind of show how, as I'm analyzing it, some indicators.
I might like look at the strings in the malware and I might see parts of the ransom note or I might see like certain functions that I know are used for cryptography.
Those are usually pretty good clues that, OK, this this might be a ransomware.
My second objective is usually how can I identify this? So like,
is this a new ransomware or is it just a rehash of an existing family? You know,
does it leave an extension? What does its ransom note look like? What does the encryption look like?
Does it leave a file marker? My main goal for that is for how to identify this on my service
ID ransomware so that I can feed some indicators in there to identify when victims upload their files.
So then the third thing I keep in mind is, can I break it?
I'll look for clues to see, you know, what type of encryption it's using, if it's secure, kind of what their crypto scheme, how they're using the encryption.
If they're encrypting keys, if they're doing
different layers of encryption with different algorithms, if there's a weak point in that,
then I kind of look into how they're generating the key. Sometimes also just thinking of some
outside of the box, like any way of attacking it, basically. Now, when you're doing those comparisons
to previously known strains of ransomware, is there any automation there or is that a manual process
or is it a combination of the two?
It's definitely a combination.
Honestly, one of the first steps I do,
if I'm not completely sure, is I'll run them out.
I kind of do this in tandem when I am analyzing it,
like say in a decompiler or a debugger.
I also might execute it and actually run it on a virtual machine
and then just grab
the encrypted files and compare them to the originals because I have like some bait files
that I know what they're supposed to look like and kind of compare what they look like afterward.
I'll kind of be doing that, but I'll also, as soon as I get the encrypted file and the ransom
note, I'll actually submit them to my own website because at this point it identifies over 700 ransomware and sometimes
like i get them so mixed up in my mind anymore sure yeah because i'll be like that extension
looks kind of familiar or that note the text looks familiar but nowadays so many ransomware are
just spoofing and copying each other so So even if the note sounds familiar to me,
I can't really trust that because they just keep copying each other's notes nowadays.
It's really annoying.
What happens when you run into something that isn't actually ransomware that might be pretending
to be? I'm thinking of, we've heard of some of these strains that are merely destructive.
I've ran into maybe one of those myself. I want
to say I sometimes don't analyze the more sophisticated ones because I am honestly
kind of a beginner still. So like the stuff like Petya and WannaCry, those were above my head on
analyzing those at the time. Of course, that was also several years ago with a lot less experience under my belt. So I think I have ran into one ransomware that I can think of that was destructive
and I was able to prove that it didn't do any encryption at all. It just wrote random garbage
to files. Usually if I do discover that, it's kind of the gray line, whether that is ransomware,
of course, since it's not encrypting, But I still kind of put a PSA out there.
If it has an indicator, like if it uses an extension or something, I'll still add it to my website in case someone does upload.
Then I can point them to a source saying, don't pay because it's no good.
Every bit of information helps the community.
Yep.
So it kind of depends on the circumstance.
If I kind of get frustrated or might pass it on to someone else. I want to say it leaves my envelope of interest when the crypto is not there.
sorts of things. You know, you have a certain level of knowledge and sophistication. Certainly,
there are people coming up behind you who are newer at this, but there are also folks who have skills that exceed your own. And how do you all communicate with each other and share things
and learn from each other? You know, of course, I've got internal assets with the analysts at
Emsisoft. It's kind of interesting because like my angle of getting into this is separate from anyone
else because everyone else started out with analyzing malware just in general any viruses
worms trojans you know all of that they're focused on analyzing malware and being able to protect
their customers from it and stuff like that and i kind of jumped into the game. I only care about ransomware.
So I don't come from a background of, you know, that foundation of just malware and then transforming it into ransomware. It's pretty similar in terms of the process of how you reverse
it. It's just the ransomware kind of adds the crypto to it. So there's a little more,
just like an extra layer on top of it. So I do have those internal assets at Emsisoft with the lab guys.
One of those, including the famous Fabian Wosar.
He kind of mentors me in some respect.
But then I also am part of kind of a more vendor agnostic group called Ransomware Hunting Team.
And we actually, I'm one of the kind of founding members of it from several years ago.
We actually, I'm one of the kind of founding members of it from several years ago.
I can't name a lot of names, but it's almost semi-underground sort of. We have a lot of members from different antivirus companies and cybersecurity companies.
We just like have a Slack channel that we communicate with a lot of the ransomware and
hunting it and trying to break it down.
Avengers assemble, right?
Exactly.
Yeah.
Well, and I suppose, I mean, it must be particularly gratifying when you're able to
successfully publish a decryptor for something like this.
Yep, it definitely is.
I've been writing decryptors for several years now, and some are a little more, I want to
say some are a little more satisfying than others.
How so?
Well, for instance, probably one of the ones I'm most proud of was a ransomware called Vortex.
It was mostly attacking victims in Poland.
I actually kind of touched on this in one of my videos, but I didn't go into the full story, I don't think.
But basically, the ransomware was using a public password generator to make the the
encryption password is like reaching out to an api on a website of someone that had a generate a
40 character password using my site type of thing so i actually had reached out to the owner of that
website and i didn't expect him to be like logging passwords he explained you know i was like i read
the owner's like blog and I
could tell he was pretty security conscious. And I actually could see like the front end code
kind of looked like he kind of was being very conscious of not storing passwords and stuff
like that. But of course, you know, you still have to, if you're generating a password on a website,
you still got to be judgmental of it. So I kind of, I kind of approached him. I was like, hey, I've got this
ransomware that's encrypting victims' files, and it's getting the password from your website.
Is there something we can do to try to combat this? And basically through a series of emails,
I kind of anonymously, he was able to provide me some of the code that he used to generate
the password, but it ended up being like it was muddied. Basically, it was a PHP server. He had the password generation script running inside of WordPress.
The way that I would attack that key gen by predicting its passwords was really complicated
with the way that WordPress kind of already seeded the number generator an unknown amount of times.
It's kind of like this dance with the guy. I didn't
want to just blatantly be like, hand me the keys to your whole server and how to break everything
on your server. But I also, you know, I wanted to break just these keys. So, I kind of did a
little dance with trying to get some, just enough information for me to try to figure it out myself.
I mean, he was very, very cooperative, but he was also, you know, rightly so like,
yeah, I can't give you the keys to everything.
Yeah.
So I just had to figure out a few variables and it took quite a while to figure out.
But I did end up figuring out a method of breaking the keys.
There was like two reasons I was really proud of that one.
One was just how much work I put into it.
And I actually, you know, found a way.
It was kind of inefficient looking back, but it worked.
Yeah.
For the folks who you're helping decrypt their files, they don't care.
They get their stuff back.
Exactly.
But the other part was actually the cert for Poland, CertPL or whatever.
They had approached the same website owner and got the exact same information.
They probably subpoenaed it from him.
Right, right.
They got the same information I did, and they analyzed it,
and they deemed it not breakable.
Hmm.
They saw the flaw that I saw, but they thought it was not feasible,
I should say.
So I kind of had that little inner gloat when I was like,
well, I've broken like 100 keys of it.
Right, right. Oh yeah, watch this.
Yeah. So I was pretty proud of that one.
Yeah. Good for you. Good for you. Well, if folks want to follow your exploits,
follow your journey, how do we find you on YouTube?
On YouTube, my username is demonslay335, which is the same as my Twitter.
And the website is? Website is idransomware, kind of has a long URL. It's id-ransomware.malwarehunterteam.com.
And really honestly, you can just Google ID ransomware and it's pretty popular.
Yeah. Let me ask you one more question, though. What are
your recommendations for folks who think this is something that they want to learn how to do?
What's the best way to get started? Honestly, I just kind of jumped into it is how I did it.
There are some resources out there. I can't think of anything specific, unfortunately,
but there's quite a bit of resources on, you know, general programming. If you want to get into reverse engineering, definitely having a core background
of some programming knowledge is key. And then, you know, just start looking into communities.
There's some free communities, like I want to say Virus Bay, where you can download malicious
samples. They have some guides. There's a couple of other websites that have guides on how to make
a secure, like a virtual
environment for, you know, not getting yourself infected off the bat.
I do have on my channel is more beginner videos specifically for ransomware.
I do, like I said, the first one is just literally me talking about my thought process of analyzing.
I kind of go into a bit of static analysis, just very on the surface, looking at the strings and looking at some of the import functions.
And then from there, my next videos in the series go into a little more in-depth of using a debugger, doing some decompiling, messing with a server, some different things, kind of baby steps.
Our thanks to Michael Gillespie from Emsisoft for joining us.
We'll have links to the ID Ransomware website and his YouTube channel in the show notes. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. The Cyber Wire Research Saturday is proudly produced in Maryland out
of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.