Decrypting ransomware for good.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a word from our sponsor, Juniper Networks. Join Juniper at NXTWORK 2019 to learn, share, and collaborate with game changers from companies across the networking industry. This year's event features keynotes from Juniper executives, as well as special guest speaker Earvin "Magic" Johnson, along with over forty breakouts and master classes led by distinguished engineers, as well as various opportunities for certification testing and training. Visit juniper.net/nxtwork for more information. That's juniper.net/nxtwork. And we thank Juniper for sponsoring our show.
Dave Bittner: [00:01:09] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Michael Gillespie: [00:01:49] In most cases, it can be difficult. There's a lot of reverse engineering, a lot of playing with the ransomware.
Dave Bittner: [00:01:56] That's Michael Gillespie. He's a programmer at Emsisoft. He's written decryptors for a number of high profile ransomware strains, and he runs the ID Ransomware website, along with a popular YouTube channel where he demonstrates how he writes his decryptors. Most recently, he wrote a decryptor for the Syrk strain of ransomware. That's where we began our conversation.
Michael Gillespie: [00:02:16] Lots of various techniques we have to do. Sometimes I can't even reverse it myself – I have to kind of call upon some teammates to help me. In this case, it was honestly a very easy one to reverse – kind of those difficulties didn't really apply.
Dave Bittner: [00:02:29] And what made it easy?
Michael Gillespie: [00:02:30] Honestly, part of it is just how it was built with a language called .NET. It's just a very easy language to reverse back almost to exact source code. I can just put it into a decompiler and read exactly what the original source code was. There's not a lot of going through a debugger or anything like that, in most cases.
Dave Bittner: [00:02:50] And so, in this case, once you're able to do that and you see the methods that they're using for encryption, what did you discover?
Michael Gillespie: [00:02:58] So, in this one, there was a pretty – I want to say common flaw with how they handle the key. Sometimes I have to still be vague in case they're still active.
Dave Bittner: [00:03:07] Sure, sure.
Michael Gillespie: [00:03:07] In this case, it – there's no way for me to know how active they were just based on the infection vector, with it being, like, a fake Fortnite cheat client. It's also one of those cases where there might not be many victims who report that they're infected. I kind of get this with – there's another ransomware that's extremely large right now that I've been fighting for over a year, that all of the victims come from kind of the same thing – downloading some type of an illegal tool or cheat thing...
Dave Bittner: [00:03:33] Mm-hmm.
Michael Gillespie: [00:03:35] ...And they're sometimes not really forthcoming about that. You know, hey, I'm a victim, I got infected, but I was also kind of doing something dirty. (Laughs)
Dave Bittner: [00:03:43] Right. Right. Right. Yeah. Interesting. Well, can you give us some insight, sort of, of the spectrum of what you run into in terms of the range of sophistication when it comes to these folks implementing different types of encryption technologies?
Michael Gillespie: [00:03:58] Pretty much any and anywhere. I mean, over my career, so to say, I've seen anywhere from, you know, you get basic XORing, or you have, say, a really sophisticated encryption scheme, kind of like the larger players usually do more sophisticated, like TeslaCrypt, back in the day, was pretty advanced – it used a lot of elliptical curves. Honestly, I worked a lot with the researcher who broke that one and he actually gave me his detailed notes on it. I understood his notes, but I don't think I'd have been able to figure that out myself. (Laughs)
Dave Bittner: [00:04:29] Interesting, yeah.
Michael Gillespie: [00:04:30] It was pretty advanced, especially when they got to TeslaCrypt 4.0, when they fixed their flaws, they added, like, additional layers of complexity. And it took me a while – once he gave me the notes on how he reversed that one, I had a little difficulty, because it was like multiple layers of elliptical curve technology and, like, a ton of math. You get anywhere from that craziness, that's just like kind of slightly above my head almost, to just like really stupid ones with like a static, here's the exact same key that's gonna be used every time, or just simple XORing or something like that.
Dave Bittner: [00:05:07] Mm-hmm. They're using sort of off-the-shelf kind of stuff sometimes?
Michael Gillespie: [00:05:10] Yeah. In terms of off-the-shelf ransomware, so to say, I have seen some that use commercial products for encryption. One example was a campaign that – I think they used the product TrueCrypt, and they used it because it's a secure, actually vetted product, and they just basically abused it to generate some random key. And in that case, we couldn't break it, because it was actually a human on the machine running the malware, copying the key to their clipboard and back, you know, saving it back on their computer. So it's not like the key was generated somewhere that we know of.
Michael Gillespie: [00:05:46] There's also been, um, I believe there is one that used a library – I can't quite remember the name, but it was another commercial encryption library. It's somewhat common. I mean, when it comes to using encryption, the best thing, even just in general, not for ransomware, but the best thing is to never spin your own crypto. There have been some ransomware that are hilariously broken because they tried to invent their own crypto. That didn't quite work out for 'em.
Dave Bittner: [00:06:14] I see. So they exceeded their own sophistication when it came to being able to do that?
Michael Gillespie: [00:06:20] (Laughs) Yeah. I mean, that's why you see a lot of ransomware – like, probably the number one algorithm you're going to see is AES, because that's known to be secure. If they're generating and handling the keys right is another thing, but that's usually where we look for a flaw. If we see that it's using AES and we confirm it's properly implemented – I've seen some custom implementations of AES that were wrong, I think one of them might have led to breaking it – usually if they get it correct enough, it's not decryptable, at least by breaking the algorithm.
Dave Bittner: [00:06:52] I see. Well, walk me through the actual process. When you are presented with a new strain of ransomware and you're initially taking a look at it to evaluate how you're going to go at it, just from the beginning, walk us through how you go about that.
Michael Gillespie: [00:07:09] I'll throw a shameless plug out here – I do have a YouTube channel where I actually make videos of how I do this.
Dave Bittner: [00:07:15] Oh, great.
Michael Gillespie: [00:07:16] Kind of from a beginner perspective. The very first one – I was pretty nervous. It was the first time I recorded, like, a video on my own...
Dave Bittner: [00:07:24] (Laughs)
Michael Gillespie: [00:07:24] ...So I kind of stutter a bit, but I kind of do go over the points of, like, from beginning, what's my thought process. And if I remember right, I had like three main objectives in the first video. The first one is, is this a ransomware? Because I'm just given a – in most cases, I'm just given an executable by a victim. And they're just suspicious, thinking, you know, I think this is what infected me. It's not always the case. You know, it might just be that their system just has a crap ton of other malware on it.
Dave Bittner: [00:07:53] Oh, yeah.
Michael Gillespie: [00:07:54] So the first thing is, is this a ransomware? So I kind of show how, as I'm analyzing it, some indicators. I might look at the strings in the malware and I might see parts of the ransom note, or I might see certain functions that I know are used for cryptography. Those are usually pretty good clues that, okay, this might be a ransomware.
Michael Gillespie: [00:08:14] My second objective is usually, how can I identify this? So like, is this a new ransomware or is it just a rehash of an existing family? Does it leave an extension? What does its ransom note look like? What does the encryption look like? Does it leave a file marker? My main goal for that is for how to identify this on my service, ID Ransomware, so that I can feed some indicators in there to identify when victims upload their files.
Michael Gillespie: [00:08:42] So then the third thing I keep in mind is, can I break it? I'll look for clues to see what type of encryption it's using, if it's secure, kind of what their crypto scheme, how they're using the encryption, if they're encrypting keys, if they're doing different layers of encryption with different algorithms, if there's a weak point in that. Then I kind of look into how they're generating the key. Sometimes I'll also just think of some outside of the box, like, any way of attacking it, basically.
Dave Bittner: [00:09:10] Now, when you're doing those comparisons to previously known strains of ransomware, is there any automation there, or is that a manual process, or is it a combination of the two?
Michael Gillespie: [00:09:20] It's definitely a combination. Honestly, one of the first steps I do if I'm not completely sure, is I'll run them – I kind of do this in tandem when I am analyzing it, like, say, in a decompiler or a debugger, I also might execute it and actually run it on a virtual machine and then just grab the encrypted files and compare them to the originals, because I have some bait files that I know what they're supposed to look like, and kind of compare what they look like afterward.
Michael Gillespie: [00:09:47] I'll kind of be doing that, but I'll also – as soon as I get the encrypted file and the ransom note – I'll actually submit them to my own website. Because at this point, it identifies over seven hundred ransomware, and sometimes, like, I get 'em so mixed up in my mind anymore. (Laughs).
Dave Bittner: [00:10:04] Sure. Yeah.
Michael Gillespie: [00:10:06] That extension looks kind of familiar, or that note – the text looks familiar, but nowadays, so many ransomware are just spoofing and copying each other. So even if the note sounds familiar to me, I can't really trust that, because they just keep copying each other's notes, nowadays. It's really annoying.
Dave Bittner: [00:10:25] What happens when you run into something that isn't actually ransomware, that might be pretending to be? I'm thinking of it – we've heard of some of these strains that are merely destructive.
Michael Gillespie: [00:10:35] I've ran into maybe one of those myself. I want to say I sometimes don't analyze the more sophisticated ones, because I am honestly kind of a beginner still. So, like, the stuff like Petya and WannaCry – those were above my head on analyzing those at the time. Of course, that was also several years ago with a lot less experience under my belt.
Dave Bittner: [00:10:58] Right.
Michael Gillespie: [00:10:59] So, I think I have ran into one ransomware that I can think of that was destructive. And I was able to prove that it didn't do any encryption at all – it just wrote random garbage to files. You know, usually if I do discover that, it's kind of the gray line whether that is ransomware, of course, since it's not encrypting. But I still kind of put a PSA out there. If it has an indicator, like if it uses an extension or something, I'll still add it to my website in case someone does upload, then I can point them to a source saying don't pay, because it's no good.
Dave Bittner: [00:11:31] Every bit of information helps the community.
Michael Gillespie: [00:11:33] Yep. So it kind of depends on the circumstances. If I kind of get, like, frustrated, or I might pass it on to someone else, I want to say it leaves my envelope of interest when the crypto's not there.
Dave Bittner: [00:11:45] Right. Interesting. Well, can you give us some insights into the community that exists for decrypting these sorts of things. You know, you have a certain level of knowledge and sophistication. Certainly there are people coming up behind you who are newer at this. But there are also folks who have skills that exceed your own. How do you all communicate with each other and share things and learn from each other?
Michael Gillespie: [00:12:09] You know, of course, I've got internal assets with the analysts at Emsisoft. It's kind of interesting because my angle of getting into this is separate from anyone else, because everyone else started out with analyzing malware, just in general – any viruses, worms, Trojans, you know, all of that. They're focused on analyzing malware and being able to protect their customers from it and stuff like that. And I kind of jumped into the game – I only care about ransomware. (Laughs)
Dave Bittner: [00:12:37] Mm-hmm.
Michael Gillespie: [00:12:37] So I don't come from a background of, you know, that foundation of just malware and then transforming it into ransomware. It's pretty similar in terms of the process of how you reverse it. It's just the ransomware kind of adds the crypto to it, so there's a little more – just, like, an extra layer on top of it. But so I do have those internal assets at Emsisoft with the lab guys – one of those including the famous Fabian Wosar. He kind of mentors me in some respect.
Dave Bittner: [00:13:05] Mm-hmm.
Michael Gillespie: [00:13:04] But then I also am part of a kind of a more vendor agnostic group called Ransomware Hunting Team. And we actually – I'm one of the kind of founding members of it from several years ago. I can't name a lot of names, but it's almost semi-underground sort of. We have a lot of members from different antivirus companies and cybersecurity companies. We just have a Slack channel that we communicate with a lot of the ransomware and hunting it and trying to break it down.
Dave Bittner: [00:13:36] Avengers assemble, right?
Michael Gillespie: [00:13:37] Exactly. (Laughs).
Dave Bittner: [00:13:38] Yeah. Well, and I suppose – I mean, it must be particularly gratifying when you're able to successfully publish a decryptor for something like this.
Michael Gillespie: [00:13:47] Yep, it definitely is. I've been writing decryptors for several years now and some are a little more – I want to say some are little more satisfying than others.
Dave Bittner: [00:13:57] How so?
Michael Gillespie: [00:13:58] Well, for instance, probably one of the ones I'm most proud of was a ransomware called Vortex. It was mostly attacking victims in Poland. I actually kind of touched on this in one of my videos, but I didn't go into the full story, I don't think. But basically, the ransomware was using a public password generator to make the encryption password – it was like reaching out to an API on a website of someone that had a "generate a forty-character password using my site" type of thing. So I actually had reached out to the owner of that website, and I didn't expect him to be, like, logging passwords. You know, I was like – I read the owner's blog, and I could tell he is pretty security conscious, and I actually could see like the front end code kind of looked like he was being very conscious of not storing passwords and stuff like that. But of course, you know, you still have to – if you're generating a password on a website, you still got to be judgmental of it.
Dave Bittner: [00:14:54] (Laughs)
Michael Gillespie: [00:14:54] So I kind of approached him, I was like, hey, I've got this ransomware that's encrypting victims files and it's getting the password from your website. Is there something we can do to, you know, try to combat this? And basically, through a series of emails, I kind of anonymously – he was able to provide me some of the code that he used to generate the password, but it ended up being – like, it was muddied. Basically it was a PHP server – he had the password generation script running inside of WordPress. The way that I would attack that key-gen by predicting its passwords was really complicated with the way that WordPress kind of already seeded number generator an unknown amount of times.
Michael Gillespie: [00:15:35] It was kind of like this dance with the guy. I didn't want to just blatantly be like, hand me the keys to your whole server and how to break everything on your server. But I also wanted to break just these keys. So I kind of did a little dance with trying to get some – just enough information for me to try to figure it out myself. I mean, he was very, very cooperative, but he was also, you know, rightly so, like, yeah, I can't give you the keys to everything.
Dave Bittner: [00:16:00] Yeah.
Michael Gillespie: [00:16:00] So I just had to figure out a few variables. And it took quite a while to figure out, but I did end up figuring out a method of breaking the keys. There was two reasons I was really proud of that one. One was just how much work I put into it, and I actually found a way – it was kind of inefficient looking back, but, you know, it worked.
Dave Bittner: [00:16:19] Yeah. For the folks who you're helping decrypt their files, they don't care. They get their stuff back.
Michael Gillespie: [00:16:24] (Laughs) Exactly. But the other part was the actually the CERT for Poland – CERT PL or whatever – they had approached the same website owner and got the exact same information. They probably subpoenaed it from him.
Dave Bittner: [00:16:38] Right, right.
Michael Gillespie: [00:16:39] They got the same information I did and they analyzed it and they deemed it not breakable.
Dave Bittner: [00:16:46] Hmm.
Michael Gillespie: [00:16:47] They saw the flaw that I saw, but they thought it was not feasible, I should say. So I kind of had that little inner gloat when I was like, well, I've broken like a hundred keys of it.
Dave Bittner: [00:16:58] Right. Right. Oh, yeah. Watch this.
Michael Gillespie: [00:17:01] Yeah. (Laughs) So I was pretty proud of that one.
Dave Bittner: [00:17:04] Yeah. Good for you. Good for you. Well, if folks want to follow your exploits, follow your journey, how do we find you on YouTube?
Michael Gillespie: [00:17:14] On YouTube, my username is Demonslay335, which is the same as my Twitter.
Dave Bittner: [00:17:19] And the website is?
Michael Gillespie: [00:17:20] Website is ID Ransomware. It kind of has a long URL. It's id-ransomware.malwarehunterteam.com. And really honestly, you can just Google ID Ransomware, and it's pretty popular.
Dave Bittner: [00:17:36] Yeah. Let me ask you one more question, though. What are your recommendations for folks who think this is something that they want to learn how to do? What's the best way to get started?
Michael Gillespie: [00:17:46] Honestly, I just kind of jumped into it, is how I did it. There are some resources out there. I can't think of anything specific, unfortunately, but there's quite a bit of resources on, you know, general programming. If you want to get into reverse engineering, definitely having a core background of some programming knowledge is key. And then, you know, just start looking into communities. There's some free communities, like I want to say VirusBay, where you can download malicious samples. They have some guides. There's a couple of other websites that have guides on how to make a secure – like a virtual environment for not getting yourself infected off the bat. I do have, on my channel, is more beginner videos specifically for ransomware.
Michael Gillespie: [00:18:27] I do, like I said, the first one is just literally me talking about my thought process of analyzing. I kind of go into a bit of static analysis, just very on-the-surface looking at the strings and looking at some of the import functions. And then from there, my next videos in the series go into a little more in-depth of using a debugger, doing some decompiling, messing with a server, some different things, kind of baby steps.
Dave Bittner: [00:18:56] Our thanks to Michael Gillespie from Emsisoft for joining us. We'll have links to the ID Ransomware website and his YouTube channel in the show notes.
Dave Bittner: [00:19:04] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:19:14] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:19:21] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.