Jump to content

Can encryption key be reverse engineered?


Recommended Posts

I have been infected with ransomware.  The PC has been cleaned now, from a backup image, but has encrypted many data files with .tisc extension.

For about 60% of the data I have backups so can recover that easily but the other 40% is not backed up.

Is it possible to use a good file (from backup) and its encrypted version to deduce what the encryption program did and therefore the key it used by comparing the two files?

With a few samples like this can a program be written that decrypts the files? 

So if i see that every 'E' has become  ascii character 'x' (or hex etc) for example then can a program be written to change every 'x' back to an 'E' etc. effectively reverse engineering the key?

Link to comment
Share on other sites

Привет

Вы подверглись нападению со стороны программы- вымогателя STOP , которая распространяется уже 4 года.
В новом варианте используется расширение .tisc, которое добавляет его к зашифрованным файлам.

Если вы прочитаете Руководство и запустите Emsisoft Decryptor , он сообщит вам результат проверки.

Файлы можно расшифровать только в том случае, если для шифрования использовался автономный идентификатор.
Это станет возможным, когда ключ дешифрования для этого варианта будет добавлен в Emsisoft Decryptor.
Это станет возможным, когда кто-то купит ключ и поделится им с разработчиком Emsisoft Decryptor.
Другого способа расшифровать файлы нет. 

Link to comment
Share on other sites

Why did this happen?

This 'STOP Ransomware' enters the PC due to the fact that computer is poorly protected. People often use free antivirus programs with the 'Free' label in the name. None of these programs will protect PC from programs similar to 'STOP Ransomware', because basic protection is not capable of this feat.
If users used comprehensive protection of the 'Internet Security' class, then it would help protect PC from ransomware attacks.

There is no 100% protection against malware, but what the 'Free' antivirus gives is 1-2 percent protection. 

After this attack, PCs could have stayed other malware elements. This maybe is an info-stealer and something else. Therefore, it is urgent to conduct a full check and destroy malware.

Use an comprehensive anti-virus software such as Emsisoft Anti-Malware to effectively remove the malware. 
You can get a free trial 30-days version of Emsisoft Anti-Malware here: https://www.emsisoft.com/en/home/antimalware/

It will help you clean your PC from other malware for free.

!!! You need to neutralize all malicious files in the system. This should be done as quickly as possible. Otherwise, the files may be encrypted using the online ID and decryption will never be possible.

Link to comment
Share on other sites

Only after neutralizing all malicious files ...

I recommend this following method only when there is no other way...

You don't have to go to it until you try the Emsisoft Decryptor. Depending on the result of the check, you can wait for a new version with a decryption key or proceed to the next method.

---

This is not the decryption, it is the recovery of certain types of files using the features of these files.

1) If you have encrypted ZIP/RAR archives, you can partially recover them. Only 1-2 files are damaged there. Remove the extension that the ransomware added to the archives, and extract the files in the usual way. Everything except 1-2 files will be fixed. If there is only 1 file in the archive, then it will most likely be unrecoverable.

2) There is an alternative (additional) way to recover some media files:
WAV, MP3, MP4, M4V, MOV, 3GP.

https://www.disktuna.com/media_repair-file-repair-for-stop-djvu-mp3-mp4-3gp

But before trying the alternative variant with media files, it is recommended that you make a copy of the encrypted files. Something will be restored better, something will be restored worse. 

Some types of files can be opened (restored) using the application in which they were created. To do this, you must first remove the extension added by the ransomware. Then can try to open the file from the program in which it was created. If you open audio and video files in the editor, it will restore the structure, and upon closing it will offer to save the changes in the file.

3) If you have PDFs or files of other e-books, then they may suffer in part if they were not protected from manual modification. Therefore, after removing the added extension, they can be partially read (~ 80%).

Unfortunately, it is not yet possible to recover files created in MS Office applications due to their sensitivity to any damage. They can be easily damaged without encryption. It is easier to recover and read text written on paper or on the stone than one created in MS Office.

An alternative method for other files has not yet been found.

Link to comment
Share on other sites

Hi Amigo-A, thanks for replying. 

I have both good and bad copies of the same files,  can i forget about trying to recreate the key but just focus on figuring out what the encryption algorithm does.  Do these algorithms typically follow a few rules that can be derived by comparing files?  In principle, if i have a good file with all possible hex values in it and expose it to the virus, then afterwards when comparing the now encrypted file to the decrypted version could i say that for each hex character, it changes it to whatever, so that regardless of rules I know that whenever I see a hex AA then I should change it back to a hex BB as an example.

I suppose that if my bait file had every hex character in there at least 3 times and if after, each was changed consistently, then I should be able to change the file back.  However if the virus encrypts each instance of a hex character differently then that would make figuring out its rules much harder.

regards

Link to comment
Share on other sites

The answers are the same as you were given here

https://www.bleepingcomputer.com/forums/t/759380/can-encryption-key-be-reverse-engineered/

Specifically this comment from Fabian Wosar

 

Quote

 Emisoft's CTO, Fabian Wosar concluded: "Since emerging in 2016, Dharma has been reverse engineered to death by the entire malware research community. If a flaw existed that enabled the encryption to be broken, it would almost certainly have been discovered a long time ago. To break Dharma within any of our lifetimes without having discovered a flaw would require access to a quantum computer that is capable of running Shor's algorithm. The highest number ever factorized using said algorithm and quantum computers is 21, which is just short of the 307 digits that would be required to break Dharama."

 

 

Link to comment
Share on other sites

15 minutes ago, stapp said:

The answers are the same as you were given here

https://www.bleepingcomputer.com/forums/t/759380/can-encryption-key-be-reverse-engineered/

Specifically this comment from Fabian Wosar

 

 

Well just how sophisticated are the algorithms used by the viruses??  I'm thinking that the virus would have to treat each hex character more or less the same assuming its using 1 key.  So it takes a hex character (or characters) and puts it thru its algorithm & encryption key to give a result.  But if it then comes across that same set of characters again later in the target file then the algorithm + key should give the same result.  It can't have a random number seed or time value as otherwise that needs to be recorded for decrypting as well or else decrypting becomes too difficult.   Consequently comparing a few good files (from back up)  with a few bad files (same files of course) should reveal some aspects of the algorithm rule used which may assist in retrieving data. 

Incidentally, if i know how (&where) i got the virus should i publish that or tell someone.  I also have the downloaded zip file that contains the virus exe.

 

Link to comment
Share on other sites

It is unlikely that I can give a short, unambiguous answer. 
This ransomware uses a simple encryption implementation.
But online key generation sweeps away all attempts to calculate the key and decrypt files in the coming years of human life.

Link to comment
Share on other sites

Just now, Amigo-A said:

It is unlikely that I can give a short, unambiguous answer. 
This ransomware uses a simple encryption implementation.
But online key generation sweeps away all attempts to calculate the key and decrypt files in the coming years of human life.

Its not about calculating the key, its about bypassing it altogether and figuring out the rules the algorithm uses possibly.   Let me make it simpler:

I file 'A' exists in 2 different directories and they are identical files, so copies or duplicates of each other, name, dates, contents etc.   Then when the encryption virus runs through those 2 directories, would those 2 files end up being encrypted in the exact same way, ie would they still be copies of each other, but just encrypted now of course, so that when viewed with a hex editor, the 2 encrypted files would be seen to be identical  ie identically encrypted ??

Link to comment
Share on other sites

Identically encrypted files located in different directories, but are initially copies of each other?
They will not be equally encrypted. 

The Decryptor developer can tell you more.

Link to comment
Share on other sites

44 minutes ago, Amigo-A said:

Identically encrypted files located in different directories, but are initially copies of each other?
They will not be equally encrypted. 

The Decryptor developer can tell you more.

Ok, if 2 identical files in different directories are not encrypted the same then that does change things, makes it much harder. Thanks.

So, if i know how (&where) i got the virus should i publish that or tell someone??  I also have the downloaded zip file that contains the virus exe.

Link to comment
Share on other sites

Im no IT expert, but i red on BC forum that a guy was able to recover 50% of his data using header bytes from decrypted file on encrypted files. Not sure what you guys have been talking about, just wanted to put info here.

  • Like 1
Link to comment
Share on other sites

I've noticed that at the very end of my encrypted files there is always this string '9lyMI9DR16ACIMHpqdX5A6dGT7Ez05g7JSKtgFFo{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}', (my bolding). The 1st part are the majority of the 'online ID' my ransomware readme.txt note told me about, but what is the string in the {}??  Does anyone know??    That string is consistent too across files.    Could it be the decrypt key???

Link to comment
Share on other sites

7 hours ago, Kevin Zoll said:

@Kokiem,

That technique is discussed in this pinned topic About the STOP/Djvu Decrypter

Hi, thanks a lot for that link.  The part that reads

"File pairs only work for one type of file. Due to the way encryption works in STOP/Djvu, file pairs can only help the decryption service figure out how to decrypt one type of file. For instance, if you submit a file pair for an MP3 file, then the decrypter will be able to decrypt all of your other MP3 files, however it won't be able to decrypt any other type of file. There are some exceptions to this, such as certain newer Microsoft Office documents (such as DOCX and XLSX) since those files are technically ZIP archives."  

Thats what i've been asking about and everyone else here and on the other websites forum is saying can't be done but clearly it can, at least enough times to make it a viable option to try.    So is there a URL i can upload the file pairs and have them decrypted please, even if takes a while?

Link to comment
Share on other sites

Are there any ways to recover/repair files that can't be decrypted? In most cases this is not possible, however there is a tool called DiskTuna that can help repair some videos that have been encrypted. This tool was made by a third-party, and they are not affiliated with us, however one of our developers has verified that it does work in at least some cases. You can find more information at this link.

@CyberguyYou completely missed what @Kokiem was referring to.

We are the only company that provides a decryption tool for STOP(DJVU) and the only company that has a service that calculates the decryption keys for the original variant of STOP(DJVU) using file pairs.

The link to the f"file pair" submission form is at the top the pinned topic. About the STOP/Djvu Decrypter

Link to comment
Share on other sites

7 hours ago, ShadowPuterDude said:

I never implied he could use the file submission form to recover his files.  I clearly state that file pairs only work with the original STOP(DJVU) variant, every variant released since 29 August 2019 cannot be recovered using this method.

In your 1st post you just posted the link to the pinned topic and that pinned topic says nothing about it only applying to the 'original' version, hence my assumption that the paragraph I highlighted applied in my case. So while you didn't imply it directly, it certainly was possible for a person to reasonably conclude that it was as the pinned post itself did not make that distinction (it should be updated to make that distinction clear).

In your 2nd post you then made the distinction between the original variant and subsequent versions, a subsequent version being what had infected my computer.

@cybermetric has understood this to also be the case hence his comment which correctly states the current situation.

Link to comment
Share on other sites

Your files cannot be decrypted without the private encryption key.  You have been told that numerous times. If you interpreted "Original" to be anything other that the original variant of STOP(DJVU) that is not my dong.  Continue to clutter this forum with your posts seeking a solution that does not exist, and I will suspend your posting privileges.  That pinned post exists for a reason, and if you take the time to read it, and not skim it, the answers you have been seeking are in that pinned post.

  • Downvote 1
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...