How ransomware Encryption works

Ransomware is malware that locks your computer and mobile devices access and files by encryption of your electronic files. When this happens, you can’t get to the data unless you pay a ransom. Your computer is no longer ‘yours’ but under control of the attacker.

First of all, I wish to express the need of very good safety tools if you value your data! Always use top antivirus applications which include anti-ransomware protection. Next always have your data back-upped ! Not in the same network environment as this is all under control of your attacker.  Use external facilities like Acronis or Sophos and others. People always think others get attacked but not themselves. My advice is to invest in your companies data safety and don’t aim for cheap solutions.

Now the question about encryption and decryption: Understanding Ransomware Encryption !

HOW DID YOU GET INFECTED                                               

One of the most common delivery systems is
phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they’re downloaded and opened, they can take over the victim’s computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.


This article describes available methods for decryption of your locked files and explains general encryption behaviour. I understand that in many cases decryption of a targeted
computer/network is a fierce job as most of us are unexperienced in this situations and also experts have not always an answer to a fix for the target system. So its nearly all bad news, but you may be able to decrypt your data when the attacker uses a known ransomware type ! Local governments have created a repository of keys and applications and tools to help out.


Unfortunately, in many cases, once the ransomware has been released into your device there is little you can do unless you have a backup or security software in place.


The CryptoLocker Trojan is one of the most famous pieces of ransomware. It also uses a public-key algorithm. As each computer is infected it connects to the command-and-control server to download the public key. The private key is accessible only to the criminals who wrote the CryptoLocker software. Usually, the victim has no more than 72 hours to pay the ransom before their private key is deleted forever, and it is impossible to decrypt any files without this key.
Nevertheless, it is sometimes possible to help infected users to regain access to their encrypted files or locked systems, without having to pay.  A repository of keys and applications that can decrypt data locked by different types of ransomware is available for free !

Ransomware types:

Now, you may ask yourself, ‘How’ do I know which type or tool is needed for my problem? You, yourself will be unable to figure out which tool might be able to help out in this situation. But there is a website that could be your ticket to ‘freedom’ again (

⛑ In order to research your attackers used encryption key, you need to upload a encrypted file on this website and have experts examine your file in order to establish a solution. ( check the examiner link )


The attacker uses encryption methods to block access to your data, and only a valid decryption key can undo the used encryption and provides access to your files again. Encryption is the method by which information is converted into secret code that hides the information’s true meaning. The science of encrypting and decrypting information is called cryptography.

In computing, unencrypted data is also known as plaintext, and encrypted data is called ciphertext. The formulas used to encode and decode messages are called encryption algorithms, or ciphers.

To be effective, a cipher includes a variable as part of the algorithm. The variable, which is called a key, is what makes a cipher’s output unique. When an encrypted message is intercepted by an unauthorized entity, the intruder has to guess which cipher the sender used to encrypt the message, as well as what keys were used as variables. The time and difficulty of guessing this information is what makes encryption such a valuable security tool.


At the beginning of the encryption process, the sender must decide what cipher will best disguise the meaning of the message and what variable to use as a key to make the encoded message unique. The most widely used types of ciphers fall into two categories: symmetric and asymmetric.

Symmetric ciphers, also referred to as secret key encryption, use a single key. The key is sometimes referred to as a shared secret because the sender or computing system doing the encryption must share the secret key with all entities authorized to decrypt the message. Symmetric key encryption is usually much faster than asymmetric encryption. The most widely used symmetric key cipher is the Advanced Encryption Standard (AES), which was designed to protect government-classified information.

Asymmetric ciphers, also known as public key encryption, use two different — but logically linked — keys. This type of cryptography often uses prime numbers to create keys since it is computationally difficult to factor large prime numbers and reverse-engineer the encryption. The Rivest-Shamir-Adleman (RSA) encryption algorithm is currently the most widely used public key algorithm. With RSA, the public or the private key can be used to encrypt a message; whichever key is not used for encryption becomes the decryption key.

Today, many cryptographic processes use a symmetric algorithm to encrypt data and an asymmetric algorithm to securely exchange the secret key. Encryption types used are:

  • Bring your own encryption (BYOE) is a cloud computing security model that enables cloud service customers to use their own encryption software and manage their own encryption keys. BYOE may also be referred to as bring your own key (BYOK). BYOE works by enabling customers to deploy a virtualized instance of their own encryption software alongside the business application they are hosting in the cloud.
  • Cloud storage encryption is a service offered by cloud storage providers whereby data or text is transformed using encryption algorithms and is then placed in cloud storage. Cloud encryption is almost identical to in-house encryption with one important difference: The cloud customer must take time to learn about the provider’s policies and procedures for encryption and encryption key management in order to match encryption with the level of sensitivity of the data being stored.
  • Column-level encryption is an approach to database encryption in which the information in every cell in a particular column has the same password for access, reading and writing purposes.
  • Deniable encryption is a type of cryptography that enables an encrypted text to be decrypted in two or more ways, depending on which decryption key is used. Deniable encryption is sometimes used for misinformation purposes when the sender anticipates, or even encourages, interception of a communication.
  • Encryption as a Service (EaaS) is a subscription model that enables cloud service customers to take advantage of the security that encryption offers. This approach provides customers who lack the resources to manage encryption themselves with a way to address regulatory compliance concerns and protect data in a multi-tenant environment. Cloud encryption offerings typically include full-disk encryption (FDE), database encryption or file encryption.
  • End-to-end encryption (E2EE) guarantees data being sent between two parties cannot be viewed by an attacker that intercepts the communication channel. Use of an encrypted communication circuit, as provided by Transport Layer Security (TLS) between web client and web server software, is not always enough to ensure E2EE; typically, the actual content being transmitted is encrypted by client software before being passed to a web client and decrypted only by the recipient. Messaging apps that provide E2EE include Facebook’s WhatsApp and Open Whisper Systems’ Signal. Facebook Messenger users may also get E2EE messaging with the Secret Conversations option.
  • Field-level encryption is the ability to encrypt data in specific fields on a webpage. Examples of fields that can be encrypted are credit card numbers, Social Security numbers, bank account numbers, health-related information, wages and financial data. Once a field is chosen, all the data in that field will automatically be encrypted.
  • FDE is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to undo the conversion. Without the proper authentication key, even if the hard drive is removed and placed in another machine, the data remains inaccessible. FDE can be installed on a computing device at the time of manufacturing, or it can be added later on by installing a special software driver.
  • Homomorphic encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form. This approach to encryption enables complex mathematical operations to be performed on encrypted data without compromising the encryption.
  • HTTPS enables website encryption by running HTTP over the TLS protocol. To enable a web server to encrypt all content that it sends, a public key certificate must be installed.
  • Link-level encryption encrypts data when it leaves the host, decrypts it at the next link, which may be a host or a relay point, and then reencrypts it before sending it to the next link. Each link may use a different key or even a different algorithm for data encryption, and the process is repeated until the data reaches the recipient.
  • Network-level encryption applies cryptoservices at the network transfer layer — above the data link level but below the application level. Network encryption is implemented through Internet Protocol Security (IPsec), a set of open Internet Engineering Task Force (IETF) standards that, when used in conjunction, create a framework for private communication over IP networks.
  • Quantum cryptography depends on the quantum mechanical properties of particles to protect data. In particular, the Heisenberg uncertainty principle posits that the two identifying properties of a particle — its location and its momentum — cannot be measured without changing the values of those properties. As a result, quantum-encoded data cannot be copied because any attempt to access the encoded data will change the data. Likewise, any attempt to copy or access the data will cause a change in the data, thus notifying the authorized parties to the encryption that an attack has occurred.


Hash functions provide another type of encryption. Hashing is the transformation of a string of characters into a fixed-length value or key that represents the original string. When data is protected by a cryptographic hash function, even the slightest change to the message can be detected because it will make a big change to the resulting hash.Hash functions are considered to be a type of one-way encryption because keys are not shared and the information required to reverse the encryption does not exist in the output. To be effective, a hash function should be computationally efficient (easy to calculate), deterministic (reliably produces the same result), preimage-resistant (output does not reveal anything about input) and collision-resistant (extremely unlikely that two instances will produce the same result).

Popular hashing algorithms include the Secure Hashing Algorithm (SHA-2 and SHA-3) and Message Digest Algorithm 5 (MD5).


Encryption vs decryption, which encodes and disguises the message’s content, is performed by the message sender. Decryption, which is the process of decoding an obscured message, is carried out by the message receiver.The security provided by encryption is directly tied to the type of cipher used to encrypt the data — the strength of the decryption keys required to return ciphertext to plaintext. In the United States, cryptographic algorithms approved by the Federal Information Processing Standards (FIPS) or National Institute of Standards and Technology (NIST) should be used whenever cryptographic services are required.


  • AES is a symmetric block cipher chosen by the U.S. government to protect classified information; it is implemented in software and hardware throughout the world to encrypt sensitive data. NIST started development of AES in 1997 when it announced the need for a successor algorithm for the Data Encryption Standard (DES), which was starting to become vulnerable to brute-force attacks.
  • DES is an outdated symmetric key method of data encryption. DES works by using the same key to encrypt and decrypt a message, so both the sender and the receiver must know and use the same private key. DES has been superseded by the more secure AES algorithm.
  • Diffie-Hellman key exchange, also called exponential key exchange, is a method of digital encryption that uses numbers raised to specific powers to produce decryption keys on the basis of components that are never directly transmitted, making the task of a would-be code breaker mathematically overwhelming.
  • Elliptical curve cryptography (ECC) uses algebraic functions to generate security between key pairs. The resulting cryptographic algorithms can be faster and more efficient and can produce comparable levels of security with shorter cryptographic keys. This makes ECC algorithms a good choice for internet of things (IoT) devices and other products with limited computing resources.
  • Quantum key distribution (QKD) is a proposed method for encrypted messaging by which encryption keys are generated using a pair of entangled photons that are then transmitted separately to the message. Quantum entanglement enables the sender and receiver to know whether the encryption key has been intercepted or changed before the transmission even arrives. This is because, in the quantum realm, the very act of observing the transmitted information changes it. Once it has been determined that the encryption is secure and has not been intercepted, permission is given to transmit the encrypted message over a public internet channel.

(source: tech )

4.5/5 - (28 votes)


Leave a Reply

Your email address will not be published. Required fields are marked *

desktop 1920x1080 1