A brief summary of encryption method used in widespread ransomware
Try to describe encryption method in such a simple way that everyone can understand it easily.
1.1 Ransomware
Ransomware is a kind of computer malware that kidnaps personal files, makes them inaccessible, and demands a ransom payment to restore them. In the most ransomware, personal files which are the target of ransomware include documents, databases, source codes, pictures, videos, etc., and Bitcoin is often used as ransom currency.
The first kind of ransomware is found in 1989, and ransomware seems to blowout since 2012. Until now, millions of people have become victims of ransomware, which makes ransomware even more rampant.
1.2 Content
Because ransomware has already disturbed our daily lives, we decide to write something for both nontechnicians and technicians. We have summarized our work on ransomware and chosen 10 ransomware which we are going to discuss in Section 2.
By this paper, one can understand the basic idea of how ransomware work, and what exact algorithms used to encrypt victim’s personal files. Moreover, we sincerely hope that this paper can do some help for the ones who want to have a further analysis on ransomware.
Moreover, it should be noticed that we only focus our discussion on encryption method and decryption method, something else, such as packing, antisandbox, elevation of privilege, DLL injection, are not in consideration.
At last, due to the limited level of the author, anything inappropriate in the paper, awaits correction by the knowledgeable.
1.3 Organization
This paper is organized as follows. In Section 1, we introduce ransomware and the content of this paper. Anybody who wants to read this paper can decide whether it is helpful from this section. The encryption procedure of each ransomware is discussed one by one in Section 2. In Section 3, we are going to talk about the vulnerabilities existing in ransomware that cause some ransomware get cracked. However, there is much more ransomware which cannot get cracked. Moreover, finally, we conclude our paper with the development trend of ransomware, and some advice to protect ourselves in section 4.
2. Sample analysis
There are 10 kinds of representative ransomware arranged in alphabetical order in this section, and let’s begin to take a look at the encryption method used in that ransomware one by one.
It should be noticed that to help everyone understand the encryption method below; we tend to make our discussion in a comprehensible but unscientific way, which means it might be a little different from what happens in the ransomware and what we describe in the paper, but the main idea must be correct. Besides, all hash algorithms are ignored, because they will impose an extra burden to catch on that ransomware.
2.1 Apocalypse
2.1.1 Introduction of apocalypse
Apocalypse ransomware was found in June 2016, and it has been completely defeated just before it got widely spread. However, we still want to talk about this ransomware, because Apocalypse ransomware can represent a kind of ransomware which uses a customdesigned encryption algorithm, instead of the standard encryption algorithm.
When infected by Apocalypse ransomware, victim’s personal file gets encrypted and looks like this:
As figure shows, all the personal file get encrypted with an extension ‘.encrypted.’ moreover, the corresponding payment note is generated with a similar file name for each encrypted file.
2.1.2 Encryption procedure of apocalypse
Different from the other ransomware discussed later, Apocalypse ransomware uses a customdesigned encryption algorithm, and the key is also stored in the ransomware:
In the figure, the key of their algorithm is stored in register DL, and register CL is a counter. When encryption process is finished, the cipher text will overwrite the plain text and the ‘.encrypted.’ the extension is added.
2.1.3 Decryption procedure of apocalypse
Since this customdesigned encryption algorithm belongs to the class of symmetrickey algorithm, it is not difficult to find out the decryption algorithm. We can decrypt the infected file by the encryption algorithm with the same key.
More details of the symmetrickey algorithm can be found on the wiki:
https://en.wikipedia.org/wiki/Symmetrickey_algorithm
2.2 Cerber
2.2.1 Introduction of cerber
Cerber ransomware was first released in March 2016, and until now (2016.9), the second version of Cerber has been detected. In this subsection, we will talk about the origin version of Cerber ransomware, which leaves the victim files with an extension ‘.cerber.’
Victim’s personal file encrypted by Cerber ransomware will look like this:
In the above figure, “# DECRYPT MY FILES #.txt,” “# DECRYPT MY FILES #.html” and “# DECRYPT MY FILES #.vbs” are payment note generated by Cerber ransomware. It is also easy to distinguish Cerber from other ransomware by the extension of encrypted file.
2.2.2 Encryption procedure of cerber
The encryption algorithms adopted in Cerber ransomware are RSA and RC4. The detail descriptions of RSA and RC4 can be found on the wiki:
RSA: https://en.wikipedia.org/wiki/RSA_(cryptosystem)
RC4: https://en.wikipedia.org/wiki/RC4
Compared with ransomware discussed in 2.1, Cerber is much more complex and rigorous. To make it easy to understand, we would like to talk about the main idea of encryption procedure in Cerber, which is simplified from the real Cerber ransomware and much more understandable.
Cerber ransomware has adopted a threelevel encryption algorithm. The first step is to encrypt a randomly generated RSA key by RSA algorithm with the builtin RSA key. The second step is to encrypt a randomly generated RC4 key by RSA algorithm with the randomlygenerated RSA key. Moreover, the third step is to encrypt victim’s personal file by an RC4 algorithm with the randomlygenerated RC4 key.
For each Cerber sample, a configuration file is encrypted and stored in resource segment. After it gets decrypted, a builtin RSA public key encoded by base64 will be found:
For each victim’s personal file, a unique RC4 key is generated, and then the file is encrypted by RC4 with that key, RC4 algorithm is shown below:
However, it should be noticed that Cerber ransomware will encrypt only some parts of victim’s personal file, not the whole file. Moreover, some necessary information which is needed in decryption procedure is also organized and stored in the encrypted file.
2.2.3 Decryption procedure of cerber
It won’t be difficult to find out the decryption procedure of Cerber ransomware if you understand what we are talking about in 2.2.2. There is no way to get global RSA private key unless the author of Cerber releases them. So, to decrypt the file, the first step is to fetch the randomlygenerated RSA private key from C&C server, and then decrypt the randomlygenerated RC4 key, and finally decrypt the file with RC4.
2.3 CryptoWall
2.3.1 Introduction of cryptowall
CryptoWall ransomware was detected at 2014, and up to now, the fourth version of CryptoWall has been released. In this subsection, we will talk about the third version of CryptoWall.
When infected by CryptoWall, victim’s personal file gets encrypted and looks like this:
In the above figure, the file extension is randomlygenerated 3 characters. “HELP_DECRYPT.HTML,” “HELP_DECRYPT.PNG” and “HELP_DECRYPT.TXT” are payment note generated by CryptoWall.
2.3.2 Encryption procedure of cryptoWall
CryptoWall ransomware adopts RSA and AES algorithm in encryption procedure. More detail descriptions of AES can be found on the wiki:
AES: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
The implementation of RSA and AES is depended on CryptoAPI which is included in Microsoft Windows operating systems. The details can be found on the wiki:
CryptoAPI : https://en.wikipedia.org/wiki/Microsoft_CryptoAPI
CryptoWall ransomware needs to apply for an RSA public key from its C&C server, so that if CryptoWall fails to connect to its C&C server, it won’t encrypt any file. After that, a randomly generated AES key is encrypted by RSA algorithm,
Next, victim’s personal file is encrypted by AES with the key generated in the previous step:
Finally, the ciphertext with some necessary information will overwrite the origin file.
2.3.3 Decryption procedure of cryptowall
The decryption procedure of CryptoWall is almost the same as its encryption procedure. First, to get back the RSA private key from C&C server; Second, to decrypt the randomly generated AES key by that RSA private key; And last, to decrypt victim’s personal file by that AES key.
2.4 CTB_Locker
2.4.1 Introduction of CTB_Locker
CTB_Locker is also an old ransomware brand which got spread at 2014, but this ransomware replaces RSA algorithm with a more sophisticated algorithm. Victim’s file encrypted by CTB_Locker ransomware will get a randomlygenerated 7 characters extension:
In the above figure, the first 2 files are payment note generated by CTB_Lokcer automatically.
2.4.2 Encryption procedure of CTB_Locker
CTB_Locker is also very complex and rigorous. Just like what we say in 2.2.2, we tend to discuss about CTB_Lokcer in a more casual way, and all hash algorithm is ignored.
AES algorithm and ECDH algorithm are adopted in CTB_Locker ransomware. The elliptic curve used in ECDH is curve25519. More detail descriptions of ECDH and curve25519 can be found on the wiki:
ECDH: https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman
Curve25519: https://en.wikipedia.org/wiki/Curve25519
ECDH algorithm is an anonymous key agreement protocol. If you find it hard to understand, you can treat ECDH algorithm as RSA algorithm, and by this way, it becomes much easy.
A threelevel encryption procedure is adopted in CTB_Locker ransomware. The first step is to encode a randomlygenerated ECDH key by the builtin ECDH public key (we use the word ‘encode,’ because ECDH is a key agreement protocol, not encryption algorithm):
In the above picture, ‘PblKey’ is randomly generated ECDH key. The second step is to encode a randomly generated AES key by that randomlygenerated ECDH key.
Moreover, the third step is to encrypt victim’s personal file by AES algorithm with that randomlygenerated key.
Finally, the ciphertext and some necessary information which is needed in the decryption procedure will overwrite the origin file.
2.4.3 Decryption procedure of CTB_Locker
Since we can’t get the private ECDH key corresponding to the builtin public ECDH key, the whole decryption procedure of CTB_Locker contains 2 steps: we first decode AES key with the randomlygenerated ECDH private key fetched from C&C server and then decrypt victim’s personal file with that AES key.
2.5 Jigsaw
2.5.1 Introduction of Jigsaw
Jigsaw ransomware was first released at around April 2016, and up to now (2016.9), the second version of Jigsaw has been found. Jigsaw is a kind of ransomware that runs in .net framework. More detail descriptions of the .net framework can be found on the wiki:
.net framework: https://en.wikipedia.org/wiki/.NET_Framework
In this subsection, we will talk about the origin version of Jigsaw. Victim’s personal file that encrypted by Jigsaw ransomware will end up with the ‘.fun.’ extension:
Besides, Jigsaw ransomware has been completely defeated soon after its release, and then an updated version of Jigsaw ransomware has been produced.
2.5.2 Encryption procedure of Jigsaw
Jigsaw ransomware adopts AES algorithm in its encryption procedure. The key and iv of AES algorithm can be found in Jigsaw sample:
Moreover, the encryption process is also very clear (No wonder it has been defeated):
Finally, the ‘.fun.’ the extension is added, and encryption procedure is finished.
2.5.3 Decryption procedure of Jigsaw
All we need to do is to decrypt the victim’s personal file by AES algorithm with the same key and iv. In fact, the decryption procedure can also be found in Jigsaw ransomware sample.
2.6 Locky
2.6.1 Introduction of Locky
Locky is another ransomware that needs to apply for an RSA public from its C&C server, and the first Locky sample is found around February 2016. If Locky fails ransomware to connect to its C&C server, nothing will get encrypted.
Victim’s personal file that encrypted by Jigsaw ransomware will end up with the ‘.locky’ extension:
In the above figure, “_HELP_instructions.bmp” and “_HELP_instructions.html” are payment node generated by Locky automatically.
2.6.2 Encryption procedure of Locky
Locky ransomware adopts RSA algorithm and AES algorithm in its encryption procedure, but the implementations of both algorithms are different among different versions of Locky.
In the Locky sample that we are going to talk about, RSA algorithm is implemented by CryptoAPI, the same as CryptoWall discussed in 2.3.2.
RSA algorithm is used to encrypt the randomly generated AES key, and RSA public key is fetched from Locky C&C server. The randomly generated AES key is used to encrypt victim’s personal file. Moreover, the AES algorithm is implemented by AES instruction set, including ‘aesenc’ and so on:
More detail descriptions of AES instruction set be found on the wiki:
AES instruction set: https://en.wikipedia.org/wiki/AES_instruction_set
When encryption process is finished, the cipher text with some necessary information will overwrite the origin file.
2.6.3 Decryption procedure of Locky
The Decryption procedure of Locky is similar to CryptoWall in 2.3.3. First, fetch RSA private key from C&C and decrypt AES key. Second, decrypt victim’s personal file with that AES key and extra information stored in encrypted file.
2.7 Petya
2.7.1 Introduction of Petya
Petya Ransomware is a special ransomware that was found in March 2016. Compare with other ransomware; Petya ransomware is totally different. From one hand, Petya ransomware will overwrite the bootstrap code in master boot record (MBR), and stop the normal initialization of Windows; From the other hand, Petya ransomware will encrypt NTFS master file table (MFT), instead of each victim’s personal file.
The detail descriptions of MRB and NTFS MFT be found on the wiki:
MBR: https://en.wikipedia.org/wiki/Master_boot_record
NTFS MFT: https://en.wikipedia.org/wiki/NTFS#Internals
When infected by Petya ransomware, the computer will stop booting and show this screen:
In the above figure, all the payment notes are written in white character on the blood red background.
2.7.2 Encryption procedure of Petya
The encryption procedure of Petya ransomware is not complex, and we can find ECDH algorithm and SALSA20 algorithm are adopted in Petya. The elliptic curve used in ECDH is secp192k1. More detail descriptions of SALSA20 and secp192k1 be found on the wiki:
SALSA20: https://en.wikipedia.org/wiki/Salsa20
Secp192k1: wiki doesn’t have any relevant article!
Since ECDH algorithm is a little complicated to understand, as we explained in 2.4.2, so we treat ECDH algorithm as RSA algorithm, which makes it much clearer.
The first step is to encode randomlygenerated SALSA20 key by ECDH algorithm:
Moreover, SALSA20 algorithm is launched in the second step which fully runs in a 16bit environment:
The payment note screen will show up when the MFT get encrypted.
2.7.3 Decryption procedure of Petya
Only one step is involved in the decryption procedure: decrypt and restore the victim’s MBR and MFT by SALSA20 with the key fetch from C&C server.
2.8 TeslaCrypt
2.8.1 Introduction of TeslaCrypt
TeslaCrypt ransomware was detected in February 2015, and up to now, there are 4 main versions of TeslaCrypt. Different versions of TeslaCrypt use different extensions of its encrypted file, such as ‘.ecc,’ ‘.ezz,’ ‘.zzz,’ ‘.vvv,’ ‘.abc.’ Moreover, so on. In this subsection, we will talk about the fourth version of TeslaCrypt. No extension is added to encrypted file, shown in the figure:
In the above figure, “!RecOveR!yjxka++.Htm”, “!RecOveR!yjxka++.Png” and “!RecOveR!yjxka++.Txt” are payment note generated by TeslaCrypt Ransomware automatically.
2.8.2 Encryption procedure of TeslaCrypt
Different versions of TeslaCrypt ransomware use different encryption algorithms. In the sample which we are going to discuss, ECDH algorithm and AES algorithm are adopted. The elliptic curve used in ECDH is secp256k1. Moreover, this is the last time we discuss ECDH, which may be a little complicated.
The whole encryption procedure of TeslaCrypt is similar to CTB_Locker in 2.4.2. Teslacrypt ransomware encrypts victim’s personal file by a threelevel encryption procedure. One can treat ECDH as RSA just as what we say in 2.4.2.
In the first level, a randomlygenerated ECDH key is encoded by ECDH algorithm with the builtin ECDH key. In the second level, a randomly generated AES key is encoded by ECDH with the randomlygenerated ECDH key:
In the third level, AES algorithm is adopted to encrypt victim’s personal file:
Finally, the ciphertext and some necessary information, such as encoded ECDH public key, will overwrite the origin file.
2.8.3 Decryption procedure of TeslaCrypt
It is also similar to CTB_Locker in 2.4.3, normally, we cannot fetch the global ECDH private key, so only 2 steps involved in decryption procedure. The first step is to decrypt AES key by ECDH algorithm with the key fetch from C&C server; The second step is to decrypt victim’s personal file with the decrypted AES key.
2.9 TorrentLocker
2.9.1 Introduction of TorrentLocker
TorrentLocker is another notorious ransomware found in 2014. Most versions of TorrentLocker Ransomware add the ‘.encrypted.’ Extension to its encrypted files and some versions of TorrentLocker try to disguise itself as CryptoLocker ransomware. In this subsection, we will discuss an early version of TorrentLocker which will not change the size of the file it encrypts:
In the above figure, “PLEASE_READ.txt” is the payment note generated by TorrentLocker automatically.
2.9.2 Encryption procedure of TorrentLocker
RSA algorithm and AES algorithm are adopted in TorrentLocker Ransomware. RSA algorithm is used to encrypt a randomly generated AES key, and victim’s personal file is encrypted with that AES key. In fact, a very large part of ransomware which we haven’t discussed in this paper works in RSAAES pattern.
The randomly generated AES key is generated by Yarrow algorithms, and the detail descriptions of Yarrow algorithm be found on the wiki:
Yarrow algorithm: https://en.wikipedia.org/wiki/Yarrow_algorithm
The seed of Yarrow algorithm contains the return value of the following functions:
Pay attention that; this is not the full list of relevant functions. Moreover, in the next step, victim’s personal file is encrypted 16 bytes by 16 bytes with AES algorithm:
When encryption process is finished, origin file will be overwritten by cipher text, no more extra data.
2.9.3 Decryption procedure of TorrentLocker
Although AES key is encrypted by RSA algorithm, we can’t get back the RSA private key. To decrypt victim’s personal file, we need to fetch the AES key from C&C server, and with that AES key, we can decrypt the victim’s personal file with AES algorithm.
2.10 Unlock92
2.10.1 Introduction of Unlock92
Unlock92 is the last one that we are going to discuss. Unlock92 ransomware was first released at around June 2016, and up to now, the second version of Unlock92 has been detected. Unlock92 ransomware runs in .net framework. The first version of Unlock92 ransomware will add a ‘.CRRRT’ extension to its encrypted file and the second version of Unlock92 ransomware will add a ‘.CCCRRRPPP’ extension. Compared with the first version, the second version is more complex so that we will talk about the second version of Unlock92:
In the above figure, “FBDX.jpg” is the payment note generated by Unlock92 Ransomware automatically.
2.10.2 Encryption procedure of Unlock92
Unlock92 ransomware adopts RSA algorithm for 2 times in its encryption procedure. For each Unlock92 sample, there is a builtin RSA public key encoded by base64 which is used to encrypt randomlygenerated RSA key:
The randomlygenerated RSA key is used to encrypt victim’s personal file:
To maximize the efficiency of encryption procedure, Unlock92 ransomware only encrypts the first 0x300 bytes of victim’s personal file, not the whole file.
2.10.3 Decryption procedure of Unlock92
To decrypt the victim’s personal file encrypted by Unlock92 ransomware, we need to restore the randomlygenerated RSA private key from C&C server, and with that key, we can get back the victim’s personal file using RSA algorithm.
3. Vulnerabilities in ransomware
3.1 Summary of encryption method
In Section 2, we have outlined the encryption methods of the 10 chosen ransomware. Each of them stands for one kind of encryption procedure, and the encryption methods of other ransomware which are not presented may belong to one of them.
Now, we can summarize the encryption method exist in that ransomware as follows:
 A customdesigned encryption algorithm, just like what we analyze in 2.1.
 The 1level encryption algorithm, just like what we analyze in 2.5.
 The 2level encryption algorithm, such as RSAAES pattern, just like what we analyze in 2.3, 2.6, 2.7, 2.9, 2,10.
 The 3level encryption algorithm, such as ECDHECDHAES pattern, just like what we analyze in 2.2, 2.4, 2.8.
 By the encryption module from the other normal software. For example, CryptoHost ransomware encrypts victim’s personal file by WINRAR’s encryption module and Vault ransomware encrypts victim’s personal file by GNUPG’s encryption module.
As we can see, the standard encryption algorithm is widely used in ransomware, except for the ransomware described in subsection 2.1 which adopts a customdesigned encryption algorithm. Among all the standard encryption algorithms, AES algorithm has gained the highest utilization rate, followed by RSA algorithm, and some ransomware also uses ECDH algorithm. Since all those standard encryption algorithms can be regarded as uncrackable, the main reason why ransomware can be cracked is completely due to the improper use of standard encryption algorithms.
3.2 Summary of decryption method
If all the ransomware are welldesigned, in other words, if all the ransomware are noncrackable, the correct method to decrypt victim’s personal file can be summarized as follows:
 For the customdesigned encryption algorithm, we need to get both the decryption algorithm and the decryption key.
 For the 1level encryption algorithm, we need to get the decryption key and decrypt victim’s personal file with that key.
 For the 2level encryption algorithm, we need to get either the firstlevel key or the secondlevel key. If we have the firstlevel key, we can restore the secondlevel key with that key, and then decrypt victim’s personal file with the secondlevel key.
 For the 3level encryption algorithm, we need to have one of those 3 keys. If we have the firstlevel key, we can restore the secondlevel key with the firstlevel key and restore the thirdlevel key with the secondlevel key, and finally, decrypt victim’s personal file with the thirdlevel key.
 For those who use encryption module from the other normal software, we need to get the decryption key.
In the ransomware author’s point of view, those decryption mentioned above methods are thought to be the only correct way to decrypt victim’s file. However, there exist more or fewer vulnerabilities in some kinds of ransomware, which leads to crack them. We will summarize those vulnerabilities in 3.3.
3.3 Summary of vulnerabilities in ransomware
Only a small number of ransomware can be cracked, and the reason why that ransomware gets cracked is mainly that it fails to use standard encryption algorithm correctly. As far as we see, the detail reasons for each cracked ransomware can be summarized as follows:
 The customdesigned algorithm. Ransomware in 2.1 is cracked because their customdesigned algorithm is not as strong as the standard encryption algorithm.
 Improper way to keep the key. Ransomware in 2.5 is cracked because the builtin AES key is used to encrypt victim’s personal files.
 Weakness in cryptographic strength. The RSA key used in the early version of ransomware analyzed in 2.8 is so short that can be factorized.
 The unscientific pseudorandom number generator. The pseudorandom number is predictable in the early version of ransomware analyzed in 2.10.
 Vulnerabilities in C&C server. There are some vulnerabilities existed in C&C server of ransomware in 2.2 which help lots of victims retrieve their keys.
 Other reasons, such as the author of CoinVault was arrested, the author of TeslaCrypt released the global private ECDH key and so on.
There are still some reasons which do not appear in the above summary, such as the author of CoinVault is arrested, but we believe that it is not hard for you to find those reasons by yourself.
3.4 Summary of sample analysis
In this subsection, the sample we analyzed in section 2 is summarized much clearly in this table:
Ransomware 
Encryption method 
Crackable or not 
more details 

2.1 Apocalypse 
Custom designed 
Crackable 
Weak algorithm  
2.2 Cerber 
3level 
Was crackable, currently not 
The secondlevel key used to be leaked by its C&C server.  
2.3 CryptoWall 
2level 
Noncrackable 
It cannot run because C&C server is down.  
2.4 CTB_Locker 
3level 
Noncrackable 
None  
2.5 Jigsaw 
1level 
Crackable 
Decryption key can be found in the ransomware sample.  
2.6 Locky 
2level 
Noncrackable 
It cannot run because C&C server is down.  
2.7 Petya 
2level 
Crackable 
The secondlevel key can be found, because the cryptographic strength is weak.  
2.8 TeslaCrypt 
3level 
Crackable 
The ransomware author releases the firstlevel key (master key).  
2.9 TorrentLocker 
2level 
Noncrackable 
None  
2.10 Unlock92 
2level 
Noncrackable 
None 
(The version of specific ransomware in table is given in the corresponding subsection)
Besides, the early version of Unlock92 is crackable because the pseudorandom number is predictable so that the secondlevel key can be guessed.
4. Trends and suggestions
4.1 Trends
According to what we see, there is an increasing trend in both the amount and the type of ransomware. Moreover, the source code and the building tools of ransomware has been sold on black markets which it makes much easier to generate a new type of ransomware. If no effective measures are taken, it is really difficult to estimate how bad the end is that we are going to face.
The good news is that antiransomware camps are also getting stronger. Most of the antivirus companies have launched their products to help people keep away from ransomware. Moreover, we think more and more victim will benefit from their products.
4.2 Suggestions
Up to now, there exist more or less problems in using the standard encryption algorithms in ransomware, but with the development of ransomware, the amount of those problems is getting less and less. Once the author of ransomware manages the usage of the standard encryption algorithm, it is truly difficult to restore victim’s personal files. Therefore, we suggest that we should give priority to defense. From one hand, computer users should backup their personal files instantly; From the other hand, antivirus company should design the special algorithm to recognize ransomware and suspend the encryption process according to the feature of ransomware, such as walking the file system. Besides, don’t surrender to panic even if you are infected by ransomware, and consulting some experts may be a good way to deal with that situation.