Over this past weekend, I was catching up on my RSS feeds when I saw a number of articles like this one over at Ars Technica talking about a new piece of ransomware. Ransomware itself isn’t new. It’s a type of malware that specifically encrypts the content of a computer and forces someone to pay money to decrypt it.
In general, ransomware is something that has affected Windows platforms and has been focused on exploiting money out of end-users. The fact that Windows is targeted shouldn’t be a surprise. It is where the client PC marketshare is and a very large portion of that user base are not conversant in computer security. That said, there were two things about this current ransomware, dubbed Linux.Encoder.1 that is novel:
- It targets Linux systems
- It targets hosting services and not end users.
The former is interesting for a few reasons. First, Linux only rarely gets targeted by malware. There have historically been richer markets for malware authors to target that better fit their business models. (Yes, purveyors of malware have business models.) However, Linux usage has been growing dramatically through the proliferation of Android, the growth of IoT as well as the continued growth in data center and cloud.
Now to the second bullet above. Ransomware has generally targeted end-users looking for financial gain. This new malware actually shows a shift from trying to extort end-users to actually extorting service providers. It’s one thing as an end-user when you see a warning come up to pay someone because they’ve locked away your data. It’s another when you’re a service provider and you see something similar that says they’ve locked away the data of your customers! The business model of going after the service provider already exists in the form of Denial of Service attacks, but the move to doing this via ransomware is something that service providers need to pay attention to.
This brings me to this article from Bitdefender that gave me a belly laugh. The engineers at Bitdefender reverse engineered Linux.Encoder.1 and found that although the ransomware does encrypt content in the filesystem, it falls prey to the one issue that always makes cryptography hard: key management.
In this particular case, the malware in question utilized the standard libc rand() function to generate the AES cryptographic key. It also seeded the rand() function with the timestamp of the system. Unfortunately for the authors, the timestamp of the system is also added to the metadata of any file as it’s created. The folks at Bitdefender realized that to decrypt all of the ransomed contents, they just needed to look at the timestamp of the encrypted file, use that to seed rand() and then they themselves would have the key that was used to encrypt the contents! At that point, you could simply use the key to decrypt all the ransomed content. Indeed, Bitdefender has been kind enough to post a script in their repositories that will automatically do this for you.
There are many times where I see a product claim that they are secure because they utilize encryption. Encryption itself gives you absolutely no security if others can find or figure out your encryption key. Even the people who should get it right don’t always do so as this case shows.
The post Crypto Is Hard! Even Malware Developers Get It Wrong appeared first on Intel Software and Services.