Adversaries attack the availability of the data and services in target systems with malicious use of encryption. Since ransomware remains a financially lucrative business and rising geopolitical tensions have led to an increase in data destruction attacks, data encryption continues to be weaponized in their malware campaigns.
In Red Report 2024, T1486 Data Encrypted for Impact is listed as the fifth most prevalent adversary technique, confirming that ransomware and data wiper malware trends are still a major threat to organizations and individuals.
Download the Red Report - Top Ten MITRE ATT&CK Techniques
Adversaries utilize advanced encryption algorithms to render their victim's data useless. In ransomware attacks, adversaries hold the decryption key for ransom with the hopes of financial gain. The pattern in the infamous ransomware attacks shows that adversaries use multiple encryption algorithms for speed, security, and efficiency.
There are two popular approaches in cryptographic encryption algorithms:
Symmetric encryption algorithms use the same key for encryption and decryption processes. This key is also known as the secret key. AES, Blowfish, ChaCha20, DES, 3DES, and Salsa20 are some popular examples of symmetric algorithms.
Asymmetric encryption algorithms use a key pair called public and private keys for encryption and decryption, respectively. These algorithms are also known as public key encryption. RSA, ECDH, and ECDSA are popular asymmetric encryption algorithms.
Symmetric encryption is best suited for bulk encryption because it is substantially faster than asymmetric encryption. Also, the file size after encryption is smaller when symmetric encryption is used. In order to efficiently carry out ransomware attacks, threat actors will often utilize symmetric encryption, which allows for faster encryption and exfiltration of the victim's files. Although symmetric encryption is faster and more efficient, it has two main limitations:
Ransomware operators use asymmetric encryption to solve symmetric encryption's key distribution and management problems. Although slower than its alternative, asymmetric encryption allows ransomware operators to leave their public key in the infected hosts without worry since victims cannot decrypt their files without the private key.
In a typical ransomware attack, ransomware payload encrypts files with a symmetric encryption algorithm using a secret key. Then, the payload encrypts the secret key with a custom-created public key for the infected host. This combined use of both encryption algorithms is called the hybrid encryption approach. It helps ransomware operators leverage the fast encryption performance of symmetric encryption while using the strong security of asymmetric algorithms.
Ransomware |
Symmetric Encryption |
Asymmetric Encryption |
AvosLocker [1] |
AES-256-CBC |
RSA (2048-bit) |
BlackMatter [2] |
Salsa20 |
RSA (1024-bit) |
LockBit 3.0 [3] |
AES-256 |
RSA (2048-bit) |
Money Message [4] |
ChaCha20 |
ECDH with Curve P-384 |
Rancoz [5] |
ChaCha20 |
NTRUEncrypt |
RTM Locker [6] |
ChaCha20 |
ECDH with Curve 25519 |
In another use case, adversaries abuse data encryption to destroy victims' data. In data destruction attacks, adversaries irreversibly encrypt files using the algorithm itself, but not supplying a private key to it (such as running AES without a secret key), and leave their victims without a way to decrypt their files. Geopolitical tensions around the world led to the rise of data wiper malware.
Here are some of the recent wiper malware examples:
Built-in Windows APIs allow users to utilize both symmetric and asymmetric encryption algorithms such as DES, 3DES, RC2, RC4, and RSA. Adversaries abuse this feature in their data encryption operations.
For example, BlueSky and Nefilim abuse Microsoft's Enhanced Cryptographic Provider to import cryptographic keys and encrypt data with the following API functions [13], [14].
Ransomware operators often query unique information to generate a unique identifier for infected hosts. Unique identifiers allow them to track infected hosts and encryption/decryption processes. For example, Zeppelin ransomware queries the MachineGUID value from the following registry key, as it is a unique identifier for each Windows host [15].
Registry: "HKLM\SOFTWARE\Microsoft\Cryptography" |
Security teams can monitor these API functions for ransomware detection.
[1] N. Shivtarkar and R. Dodia, “A Retrospective on AvosLocker,” Oct. 27, 2023. https://www.zscaler.com/blogs/security-research/retrospective-avoslocker
[2] D. Sason, “BlackMatter Ransomware: In-Depth Analysis & Recommendations,” Nov. 02, 2021. https://www.varonis.com/blog/blackmatter-ransomware
[3] “A Look at LockBit 3 Ransomware.” https://redpiranha.net/news/look-lockbit-3-ransomware
[4] “A detailed analysis of the Money Message Ransomware,” SecurityScorecard, Sep. 14, 2023. https://securityscorecard.com/resources/a-detailed-analysis-of-the-money-message-ransomware/
[5] “Dissecting Rancoz Ransomware,” Cyble, May 11, 2023. https://cyble.com/blog/dissecting-rancoz-ransomware/
[6] Uptycs Threat Research, “RTM Locker Ransomware as a Service (RaaS) Now on Linux - Uptycs,” Apr. 26, 2023. https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux
[7] G. Revay, “The Year of the Wiper,” Fortinet Blog, Jan. 24, 2023. https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper
[8] “Threat Update: AwfulShred Script Wiper,” Splunk-Blogs, Apr. 21, 2023. https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
[9] D. Bestuzhev, “BiBi Wiper Used in the Israel-Hamas War Now Runs on Windows,” BlackBerry, Nov. 10, 2023. https://blogs.blackberry.com/en/2023/11/bibi-wiper-used-in-the-israel-hamas-war-now-runs-on-windows
[10] I. Kulmin, “CaddyWiper makes Windows machines unusable,” Acronis. https://www.acronis.com/en-us/cyber-protection-center/posts/caddywiper-makes-windows-machines-unusable/
[11] “No-Justice Wiper.” https://www.clearskysec.com/wp-content/uploads/2024/01/No-Justice-Wiper.pdf
[12] “2023 Data Breach Investigations Report (DBIR),” Verizon Enterprise Solutions, May 25, 2023. https://www.verizon.com/business/resources/reports/2023-data-breach-investigations-report-dbir.pdf
[13] S. Ozarslan, “How to Beat Nefilim Ransomware Attacks,” Dec. 03, 2020. https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks
[14] A. Unnikrishnan, “Technical Analysis of BlueSky Ransomware,” CloudSEK - Digital Risk Management Enterprise | Artificial Intelligence based Cybersecurity, Oct. 14, 2022. https://cloudsek.com/technical-analysis-of-bluesky-ransomware/
[15] H. C. Yuceel, “Zeppelin Ransomware Analysis, Simulation, and Mitigation,” Aug. 13, 2022. https://www.picussecurity.com/resource/zeppelin-ransomware-analysis-simulation-and-mitigation