21

I'm talking about the most common varieties like Cryptolocker, Cryptowall, Torrentlocker, KeRanger, RSA4096, etc. (There is not necessarily a need to answer for all of these, one or two may do.) If the most widespread ones differ, answers can be divided into a section for each program or category.

Do they A: Create an encrypted copy of a file, then delete the original of that file, then go on to the next one, etc?

Or do they B: Create encrypted copies of all of your files in one bulk operation, and then do one large deleting operation at the very end?

When they delete, do they also overwrite the relevant sectors on the drive? (This takes time.) This, though, would be to thoroughly prevent any given file from being recoverable by software like Recuva and Photorec.

Since the ransomware wants to remain hidden until it is completely done with its work, it wants to be stealthy and give off as few signs as possible of its existence.

From the ransomware's author's point of view, the disadvantage of A would be that if the user tries to access their files during operation, they can notice that their files are gone (or corrupted, if the encrypted files simply replace the originals in the folder hierarchy.) This can mean the ransomware gets discovered or is not allowed to finish its job to demand a ransom.

B, on the other hand, gives the criminals the disadvantage that the original files all remain accessible until the very end. That means that if the user discovers the ransomware during its operation through some other tell, they can easily recover their data.

To repeat the question, how do the most widespread types of ransomware attempt to "solve" this "problem"?

Maybe its not such a big problem for them at all, since most people who get affected may not be alert enough to catch the ransomware mid operation (as in B), or know what do actually do if they notice their files are gone (as in A)?

Fiksdal
  • 3,097
  • 3
  • 18
  • 29
  • 3
    I think I would start with the largest files and then go down in file size. This way one has done the most damage in the shortest period of time. If the data is on an SSD, the attacker has a huge advantage: First one does not hear the disk being busy. Also one can use TRIM to discard huge amounts of data in no time. Modern CPUs can AES encrypt at a rate of like 5 GB/s (i7-3770K). Therefore you will not notice any CPU load but just the encryption. Either way, I am also curious for an answer to the actual question :-). – Martin Ueding Apr 21 '16 at 16:43
  • @MartinUeding Thanks for the info. Wow, is encryption really that fast? But even the read/write speed of SSD's is nowhere near that. How can you actually encrypt that fast, then? – Fiksdal Apr 21 '16 at 16:51
  • I just ran `openssl speed aes-256-cbc` and a couple other on my Intel i5-2520M machine. It tells me `69372.80k` per second for 16 Byte blocks. If I read that correctly, that is some 70 MB/s. Running `openssl speed -evp AES256` gives me `412209.98k` which I interpret as 412 MB/s. Those numbers match [those here](https://calomel.org/aesni_ssl_performance.html). The i7 is just around 1 GB/s. Perhaps the number I had in mind was given in Gbit/s, then. Either way, encryption is not noticeable any more. – Martin Ueding Apr 21 '16 at 17:11
  • I forgot to mention: That first run uses a software encryption, the second run uses the hardware instructions (AES-NI) for that. You can see that is *way* faster. – Martin Ueding Apr 21 '16 at 17:13
  • @MartinUeding I see. The one that is relevant to OP is software encryption, right? It sounds possible that the i7 may be able to do 1GB/s, but I guess only if the SSD can read/write fast enough. By noticeable, do you mean by sound or by other means? – Fiksdal Apr 21 '16 at 17:17
  • No, the hardware encryption is relevant! The attacker will use the AES-NI instructions of your modern CPU to encrypt the data without putting a lot of load onto the CPU. The bottleneck will be the disk, not the CPU. A disk bottleneck can have lots of causes, most people will assume it is some search indexing service, installation of updates or so. A high CPU load will increase the fan speed and become annoying quickly. On an SSD, you will probably not notice contention on the drive, the ransomware can do its evil with minimal impact on the system. – Martin Ueding Apr 21 '16 at 17:26
  • @MartinUeding I'm glad there are some benefits to my old, mechanical HDD. Anyway, are you saying the malware would intentionally only use a small part of your CPU, as to avoid getting detected? Would the process and its CPU usage show up in an app like Windows Task Manager? – Fiksdal Apr 21 '16 at 17:30
  • On Linux, the OpenSSL benchmark does show up in the task manager. So it does use the CPU. But if the CPU can process say 1 GB/s, the HDD limits that to 70 MB/s. Then you would have used 7% of one core, which is like 2% on a quadcore machine (usual these days). You will not notice that, really. – Martin Ueding Apr 21 '16 at 17:36
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/38695/discussion-between-fiksdal-and-martin-ueding). – Fiksdal Apr 21 '16 at 17:39
  • I think I remember reading that many encrypt-in-place - so it transparently decrypts the files that have already been encrypted, until it finishes encrypting. That's how I'd do it, at least. Avoid raising suspicions ("I can't open this file) or filling up the disk before completion. – SomeoneSomewhereSupportsMonica Apr 23 '16 at 15:22
  • @SomeoneSomewhere So, it means if you tried to access a file, it would decrypt it on the fly for you, allowing you to open it as if it was normal? – Fiksdal Apr 23 '16 at 15:24
  • @Fiksdal I think so. This is going from memory. Once it had finished encrypting all the files, I imagine it would delete the keys and scrub them, then put up all the 'your files are encrypted' windows. – SomeoneSomewhereSupportsMonica Apr 23 '16 at 15:25
  • @SomeoneSomewhere Right. If this was the case, couldn't that allow us to still recover all of our files? I mean, we could start copying all our files to an external media, and the ransomware would have to decrypt them for us. (It would then be using the CPU and disk read capabilities to decrypt for us, and that would force it to take a break from encrypting other files, right? I mean, provided the ransomware didn't have a countermeasure to this sort of "exploit" built in. – Fiksdal Apr 23 '16 at 15:30
  • @SomeoneSomewhere We could clone a disk image first, so that we had nothing to lose. Then, for all the files that were encrypted, we could let the ransomware decrypt them for us for free, by "accessing" (copying) them, lol. – Fiksdal Apr 23 '16 at 15:31
  • @Fiksdal Only if you found out the ransomware was on your computer before it finished encrypting. – SomeoneSomewhereSupportsMonica Apr 23 '16 at 15:31
  • @SomeoneSomewhere Yes, obviously. – Fiksdal Apr 23 '16 at 15:33
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/38783/discussion-between-fiksdal-and-someone-somewhere). – Fiksdal Apr 23 '16 at 15:33

2 Answers2

19

In addition to Angel's response, As seen in the popular ransomware variations that you mentioned, the encryption is done on a file by file basis where one file is encrypted and then the plain-text version of the file is removed, then the ransomware moves to the next file. It may start parallel threads to encrypt several files but the outcome is the same for our purpose. Let's see how it's done by eda2, Cryptowall and CTB-Locker.

eda2 (Opensourced ransomware)
Let's start with the opensourced ransomware namely eda2 while the author removed the code from github, what it did was like this:

    //Encrypts a file with AES algorithm
    public void EncryptFile(string file, string password)
    {
        byte[] bytesToBeEncrypted = File.ReadAllBytes(file);
        byte[] passwordBytes = Encoding.UTF8.GetBytes(password);

        // Hash the password with SHA256
        passwordBytes = SHA256.Create().ComputeHash(passwordBytes);

        byte[] bytesEncrypted = AES_Encrypt(bytesToBeEncrypted, passwordBytes);

        File.WriteAllBytes(file, bytesEncrypted);
        System.IO.File.Move(file, file + ".locked"); //new file extension
    }

It starts checking drives and directories recursively passing each file that matches its criteria (file extension is in its predefined list) to the EncryptFile method and the file is overwritten with encrypted version of it.


Cryptowall 4
Cryptowall 4 is analyzed by Cisco Talos and this diagram shows its encryption process:
               Cryptowall
There are separate threads run by this ransomware, one of them is "DoFilesEncryption" thread which does the encryption part.

After iterating through the folders and finding the files:

At this point the real file content encryption takes place, the original file is read in blocks that are 512 KByte chunks. Each block is encrypted with the generated key, using an AES-CBC 256 algorithm, and written directly to the new file (together with the block size in the first four bytes).

And the deletion is like this:

// Move the new encrypted file name in the old original position, replacing the old one

bRetVal = MoveFileEx(newEncFileName, lpOrgFileName,
MOVEFILE_WRITE_THROUGH | MOVEFILE_REPLACE_EXISTING);
if (!bRetVal)
// Delete the old file in the standard manner:
    DeleteFile(lpOrgFileName);
else {
    // Rename the original replaced file in the new random file name
    bRetVal = MoveFileEx(lpOrgFileName, newEncFileName, MOVEFILE_REPLACE_EXISTING);
}

CTB-Locker
As analyzed here and kinda same as Cryptowall, there's a thread responsible for encrypting files in which this routine takes place:

  • The file is moved to a temporary file (%TEMP%\<name>.tmp where <name> is determined by the corehash) using the MoveFileEx API call
  • The temporary file is read into memory
  • An asymmetric keypair and symmetric secret key are generated
  • The file buffer is compressed using the DEFLATE data compression algorithm from the zlib library (which is statically linked against the executable)
  • After compression the file buffer is encrypted using AES-256-ECB
  • A header consisting of the public key associated with this file and an encrypted infovector is prepended to the encrypted data
  • The header-prepended encrypted buffer is written to the temporary file
  • The temporary file is moved to overwrite the original file using the MoveFileEx API call with the original file getting a new extension (derived from the corehash) appended to it

Further Thoughts & Wrap Up
As discussed above, files are encrypted on the go and usually overwritten by their encrypted version. Now let's analyze this design. In my opinion, one by one encryption and replacement of files is a superior option.

  • Encrypting files one by one is easy to implement
  • If the ransomware is stopped midway through operation there's still a chance that some vital files are encrypted and victim is willing to pay
  • Extra disk space & complex file removal is needed for bulk encryption and then bulk deletion of files

Remaining silent and hidden is one of ransomware's concerns, one other concern is that they have to be fast. They also have to be simple so the executable is as small as possible.
They target unprotected systems, exploit kits used by these malwares target vulnerabilities in applications like Flash, they also make profit from victims that don't have a back up of their data so usually they don't have to deal with hardened and super secured systems. They simply target unprotected not backed up users. They don't have to be bullet proof to be profitable, they just have to be good enough so sometimes they don't have the best implementation possible.

Now in order to deal with performance issues when encrypting large files, one technique I've seen ransomwares using is encrypting only the first n-bytes of the files. This is usually enough to corrupt most of the files and is much faster than encrypting the whole file. Unfortunately I couldn't find the name of the specific ransomware which used this technique at this very moment.

Catching a Ransomware Mid-operation
Refer to What should you do if you catch encryption ransomware mid-operation? for a background, catching a ransomware mid-operation doesn't necessarily allow you to fully stop it or get all your files back.

Ransomwares don't encrypt your whole filesystem, they usually leave executables intact, so the victim has to open up an image, a document or something of that kind to notice there's something wrong.
Even for a computer savvy person who hasn't done some research on ransomwares it may not be clear what's going on, there could be a handful of reasons why a document is corrupted or isn't opening up (Some ransomwares don't change the files' extensions). Adding this to the probability of someone actually noticing that a ransomware is encrypting their files this doesn't seem to be a major concern.

Even if it was a major concern, instead of bulk encryption/deletion, the malware could monitor users activity while staying hidden doing no encryption and once it finds out that the user's inactive/afk it can start the encryption process.

Ferrybig
  • 262
  • 3
  • 10
Silverfox
  • 3,377
  • 2
  • 19
  • 39
  • 1
    This is exactly the kind of answer I was looking for. Now, if the victim, during operation, tries to open an already encrypted file, he/she won't be able to. Some victims may then realize what's going on. But that may not be a very big contingency for the criminals? – Fiksdal Apr 28 '16 at 04:37
  • 1
    @fiksdal I'll add answer to this question in my post. – Silverfox Apr 28 '16 at 05:12
11

They will mostly be file-by-file. Thus, if you are “lucky”, you may find yourself with only some folders infected. There are several reasons for this:

  • Easy to code. Just iterate through every file repeating an encryption routine.

  • Suitable for external programs. Sometimes the ransomware is using a third-party program that works on files for performing the encryption.

  • No full-disk issues. Option B would require at least a 50% free hard-disk. How many of you have that space free?

  • Even if you spotted the ransomware mid-operation, with option A there's a chance that some very important files were encrypted and you would still pay. If the original files were only deleted at the end, that would never happen.

But perhaps most importantly, it allows them to overwrite in place the files.

Which is important both for anti-forensic and «encryption optimizations».

Instead of copying a 100 MB file, they could eg. open the file, encrypt the first 1 MB and save it to the same location in disk (perhaps appending some ransomware-specific data, too). The user is left with a 100 MB ‘encrypted’ file that the original application is unable to open, but only ~2 MB of I/O transfer were needed.

And when you are attempting to make every document in the disk unavailable, that really matters.

Ángel
  • 18,188
  • 3
  • 26
  • 63
  • 1
    What happens if, mid operation, the victim tries to access one of the files that have already been encrypted? – Fiksdal Apr 26 '16 at 03:57
  • 1
    @Fiksdal, it will fail. A ransomware decrypting the files being read on-the-fly while the encryption is going on is extremely rare. – Ángel Apr 26 '16 at 22:38