Skip to content

Page140

Ransomware

Ransomware is a form of malware that uses strong encryption such as AES, while holding the decryption key hostage for a ransom. Ransomware is primarily an attack on availability (preventing users from accessing their files), and is often deployed after a system is compromised. Typically, all (potentially) sensitive or important documents are encrypted. Here’s a (non-testable) list of the file extensions encrypted via Cryptolocker: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c [44].

Once encrypted, the ransomware computer usually changes the desktop wallpaper to display a warning (it may also display an image and/or a text file) that includes instructions on how to pay the ransom (via a cryptocurrency such as Bitcoin) in order to retrieve the encryption key.

Criminals typically release the key when the ransom is paid. There is often a time limit (such as 72 hours) to pay the ransom, at which point the key is destroyed if the ransom has not yet been paid.

Good backups coupled with speedy restoration mitigate ransomware. Many organizations focus on backups (which are important) while ignoring the time to restore the backups (which is also quite important). If an entire data center has been infected with ransomware, how long would it (honestly) take to restore from backups? The answer can be months in some cases, leading victims of ransomware to pay the ransom in order to speed recovery efforts—even when they possess good backups.

Birthday Attack

The birthday attack is named after the birthday paradox. The name is based on the fact that in a room with 23 people or more, the odds are greater than 50% that two will share the same birthday. Many find this counterintuitive, and the birthday paradox illustrates why many people’s instinct on probability (and risk) is wrong. You are not trying to match a specific birthday (such as yours); you are trying to match any birthday.

If you are in a room full of 23 people, you have a 1 in 365 chance of sharing a birthday with each of the 22 other people in the room, for a total of 22/365 chances. If you fail to match, you leave the room and Joe has a 21/365 chance of sharing a birthday with the remaining people. If Joe fails to match, he leaves the room and Morgan has a 20/365 chance, and so on. If you add 22/365 + 21/365 + 20/365 + 19/365 ... + 1/365, you pass 50% probability.

The birthday attack is used to create hash collisions. Just as matching your birthday is difficult, finding a specific input with a hash that collides with another input is difficult. However, just like matching any birthday is easier, finding any input that creates a colliding hash with any other input is easier due to the birthday attack.

Key Clustering

A goal of any cryptographic cipher is that only one key can derive the plaintext from the ciphertext. Key Clustering occurs when two symmetric keys applied to the same plaintext produce the same ciphertext. This allows two different keys to decrypt the ciphertext.