# How Wanna-cry encrypts your files

*“Ransomware is not only about weaponizing encryption, its more about bridging the fractures in the mind with a weaponized message that demands a response from the victim.” ― James Scot*

Today we are gonna talk about how wanna cry encryption work. The wanna cry ransomware attack happened in May 2017 which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

This will be a brief overview of how encryption works in general and will build up on it

There are mainly two types of encryption — **Symmetric and Asymmetric encryption**

**Symmetric Encryption**

So here as we can see we have a plaintext which we want to encrypt. So using symmetric key encryption we can encrypt our plaintext with a key lets say **Kf. **So after encrypting the files we can send this to anyone but no one can read it because they don’t know how to decrypt it. So now if they want to decrypt that text they need the **Kf** key which is used to encrypt the message. The key should be send in a secure channel so that no one other than the person supposed to decrypt it can’t have it. So the other person will get the** Kf** and decrypt the file. So Symmetric encryption will use the same key for encryption and decryption.

This method is faster as compared to Asymmetric encryption. But here lies a problem. Imagine Bob and Alice wants to share a secret. So Bob encrypts the secret with Kf and send it to Alice but what if a third person Nad is sitting in the middle of the communication and he can read all the encrypted files that is been transferred to Alice. So Nad will listen to the communication and also have the Kf which Bob send to Alice to decrypt. So Nad will take that Kf and decrypt the secret that he was not supposed to read, that is a big problem. This is where Asymmetric key encryption comes to play

## Asymmetric Encryption

This works with two keys. One is called is private key and other in public key.

Imagine Bob is the sender and Alice is the receiver. So Bob wants to send a secret to Alice but now Bob will use Asymmetric encryption. So now when they wants to send something they both will generate a key pair each. Lets say Bob Keys are** Bpub** for public key and **Bpriv** for private key and Alice has **Apub** and **Apriv** for public and private key. So now Alice will send Bob her public key **Apub** and Bob will send his public key to Alice. So now the secret will be encrypted with** Apub** and can only be decrypted with **Apriv** which is Alice public key.

This overcome the problem of someone sitting in between the communication because if Nad have the encrypted message and Alice Public key but he can decrypt the message because he don’t have Alice private key **Apriv** which is never been shared. Their is a lot more complexity involved in asymmetric cryptography but for now only remember data encrypted with public key will only be decrypted using private key

## How ransomware encrypts the files

So in the early stages a ransomware was using symmetric key encryption for encrypting files. So now the problem is even though it is faster but it uses same key for encryption and decryption. Sometimes it is hard coded in the ransomware so if someone reverse engineers it they will find the symmetric key and will decrypt all the files without paying the ransom.

So they started using asymmetric key encryption which a lot slower than symmetric key which is not a robust solution for encrypting 1000 of files. Another problem is that the ransomware will create two keys one public and one private so the files will be encrypted with the public key but what if the client is not connected to internet at the time of running the malware, the private key cannot be send to attacker or the command and control server, so the private key may be lost or it can present the client computer which can be reverse engineered and can be decrypted easily

## How Wanna Cry overcome this problem

WannaCry uses hybrid encryption which is a mix of symmetric and asymmetric encryption. When the ransomware is created it will generate a key pair for the command and control server or the attacker. Lets say **Spub **and **Spriv** are the keys. So the private key will be with the attacker and the **Spub **key will be shared with the ransomware. So when someone opens the ransomware file it will again generate a key pair lets say** Cpub** and **Cpriv** for client and a symmetric key **Kf**. The first thing the ransomware will do is encrypt the Cpriv key with the Spub or the attacker public key. **Spub{Cpriv}**

Now the symmetric key Kf will encrypt all the files and after that the key itself will be encrypted by the Client public key or Cpub . **Cpub{Kf}**

So now lets say we want to decrypt a file secrets.txt. We know that it is encrypted with **Kf** but we can’t get **Kf** because it is encrypted with the Client’s Public key **Cpub**. We need** Cpriv** to decrypt the **Kf** but we can’t do that because Client’s private key is encrypted with the Server Public key **Spub**. To decrypt the** Cpriv** we need the Private key of the server which we don’t have because it is with the attacker. At this point of time we can’t do anything because remember **data encrypted with public key will only be decrypted using private key.**

So for decrypting our file secret.txt we will need the Server Private key Spriv which will decrypt Client’s private key Cpriv and Cpriv will decrypt the symmetric key Kf and Kf will be used to decrypt the file secret.txt

The RSA mentioned in the picture is a type of Asymmetric encryption and AES is the symmetric encryption used by the WannaCry Ransomware

This is a overview of how wanna cry encryption algorithm works. For more information on the encryption mention you can read

The only way to decrypt your files if someone can get Kf while Kf is encrypting the file. In that way they will no longer need any private keys for decrypting but in real life that’s not the case.

This Blog is inspired from this video

Hope you guys liked it