How Wanna-cry encrypts your files

“Ransomware is not only about weaponizing encryption, its more about bridging the fractures in the mind with a weaponized message that demands a response from the victim.” ― James Scot

Today we are gonna talk about how wanna cry encryption work. The wanna cry ransomware attack happened in May 2017 which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

This will be a brief overview of how encryption works in general and will build up on it

There are mainly two types of encryption — Symmetric and Asymmetric encryption

So here as we can see we have a plaintext which we want to encrypt. So using symmetric key encryption we can encrypt our plaintext with a key lets say Kf. So after encrypting the files we can send this to anyone but no one can read it because they don’t know how to decrypt it. So now if they want to decrypt that text they need the Kf key which is used to encrypt the message. The key should be send in a secure channel so that no one other than the person supposed to decrypt it can’t have it. So the other person will get the Kf and decrypt the file. So Symmetric encryption will use the same key for encryption and decryption.

This method is faster as compared to Asymmetric encryption. But here lies a problem. Imagine Bob and Alice wants to share a secret. So Bob encrypts the secret with Kf and send it to Alice but what if a third person Nad is sitting in the middle of the communication and he can read all the encrypted files that is been transferred to Alice. So Nad will listen to the communication and also have the Kf which Bob send to Alice to decrypt. So Nad will take that Kf and decrypt the secret that he was not supposed to read, that is a big problem. This is where Asymmetric key encryption comes to play

This works with two keys. One is called is private key and other in public key.

Imagine Bob is the sender and Alice is the receiver. So Bob wants to send a secret to Alice but now Bob will use Asymmetric encryption. So now when they wants to send something they both will generate a key pair each. Lets say Bob Keys are Bpub for public key and Bpriv for private key and Alice has Apub and Apriv for public and private key. So now Alice will send Bob her public key Apub and Bob will send his public key to Alice. So now the secret will be encrypted with Apub and can only be decrypted with Apriv which is Alice public key.

This overcome the problem of someone sitting in between the communication because if Nad have the encrypted message and Alice Public key but he can decrypt the message because he don’t have Alice private key Apriv which is never been shared. Their is a lot more complexity involved in asymmetric cryptography but for now only remember data encrypted with public key will only be decrypted using private key

So in the early stages a ransomware was using symmetric key encryption for encrypting files. So now the problem is even though it is faster but it uses same key for encryption and decryption. Sometimes it is hard coded in the ransomware so if someone reverse engineers it they will find the symmetric key and will decrypt all the files without paying the ransom.

So they started using asymmetric key encryption which a lot slower than symmetric key which is not a robust solution for encrypting 1000 of files. Another problem is that the ransomware will create two keys one public and one private so the files will be encrypted with the public key but what if the client is not connected to internet at the time of running the malware, the private key cannot be send to attacker or the command and control server, so the private key may be lost or it can present the client computer which can be reverse engineered and can be decrypted easily

WannaCry uses hybrid encryption which is a mix of symmetric and asymmetric encryption. When the ransomware is created it will generate a key pair for the command and control server or the attacker. Lets say Spub and Spriv are the keys. So the private key will be with the attacker and the Spub key will be shared with the ransomware. So when someone opens the ransomware file it will again generate a key pair lets say Cpub and Cpriv for client and a symmetric key Kf. The first thing the ransomware will do is encrypt the Cpriv key with the Spub or the attacker public key. Spub{Cpriv}

Now the symmetric key Kf will encrypt all the files and after that the key itself will be encrypted by the Client public key or Cpub . Cpub{Kf}

So now lets say we want to decrypt a file secrets.txt. We know that it is encrypted with Kf but we can’t get Kf because it is encrypted with the Client’s Public key Cpub. We need Cpriv to decrypt the Kf but we can’t do that because Client’s private key is encrypted with the Server Public key Spub. To decrypt the Cpriv we need the Private key of the server which we don’t have because it is with the attacker. At this point of time we can’t do anything because remember data encrypted with public key will only be decrypted using private key.

So for decrypting our file secret.txt we will need the Server Private key Spriv which will decrypt Client’s private key Cpriv and Cpriv will decrypt the symmetric key Kf and Kf will be used to decrypt the file secret.txt

The RSA mentioned in the picture is a type of Asymmetric encryption and AES is the symmetric encryption used by the WannaCry Ransomware

This is a overview of how wanna cry encryption algorithm works. For more information on the encryption mention you can read

The only way to decrypt your files if someone can get Kf while Kf is encrypting the file. In that way they will no longer need any private keys for decrypting but in real life that’s not the case.

This Blog is inspired from this video

Hope you guys liked it