A Close Look at Ransomware by the Example of Vipasana
Part I: The Specifics of the Ransomware Vipasana and Why it Cannot be Decrypted
Ransomware has been around for a couple of years now. Yet it is everything but declining and reached an infamous peak in February this year, when many hospitals had been shut down by ransomware. The business model is just too appealing: Once the malware gets executed, it encrypts all your important files, just to emerge from the dark deeps of your system afterwards, to present you a ransom note. Now you have a tough choice to make: Pay the blackmailers between a few hundred and a few thousand dollars to have them decrypt your files, or accept that you will never see them again. Think about how important some documents on your machine are: Business documents, or irreplaceable pictures from your last vacation with your significant other, just to name a few examples. Then you understand why ransomware is the stuff that can give you nightmares.
Did I mention that there is no guarantee that your files are unlocked after you paid the ransom?
So what to do. Obviously, paying criminals is not the way to diminish the overall problem, even though the FBI seems to recommend paying the ransom from time to time – due to a lack of other solutions. One option is to wait for some security specialists to go to battle against the malware, dissect it, break it and publish a free decryption tool for it. This has actually happened rather often in the past.
Yet there is a core of crypto malware which just seems to resist all attempts to break it. At least, nobody seems to be able to publish a decryption tool for it. Which raises the question: Is it really as secure as it seems or is there always a way to recover your files once they are encrypted by the virus?
With this question in mind we have decided to analyze one exemplary specimen of ransomware. In the first part of a two parted series we will take a closer look at the specifics of the ransomware Vipasana.
A Crypto Virus Called Vipasana
The virus we have chosen for our analysis is the – supposedly Russian – crypto virus Vipasana. Our version has the MD5 hash 2aea3b217e6a3d08ef684594192cafc8. It has been around since at least the 20th of December 2015 and has first been described in Blaze’s Security Blog. The name originates from the earliest versions, which contained the email address email@example.com as first point of contact with the extortionists in the ransom note.
One property that jumped out at our analysis was the fact that Vipasana does not require an internet connection to do its misdeeds. This has been an innovation, since previous ransomware strategies pretty much worked like this:
- The ransomware creates an RSA key pair, encrypt your files with the public key – generally done in a hybrid approach by mixing symmetric and asymmetric encryption
- It sends the private key required for decryption to the server of the extortionist
- It gives this key back after the ransom is paid – or not, depending on the criminal
Vipasana itself comes with a public key already built-in. The private key required for decryption does not even get on your machine (and for encryption, it doesn’t need to be, either). That means that the virus doesn’t need to send anything over the network. The extortionist, of course, still holds all information necessary to unlock your files again. We’ll analyze the exact encryption technique of Vipasana in a bit.
What Happens When the Ransomware Starts its Work on Your Machine
The first time you will notice that something is wrong, is when your desktop background suddenly changes and you see this interesting and messy collage of a new background image with a warning in green font, and an email address.
By the time you see this image, your data has already been encrypted by Vipasana. Further down, the text on the background image states that all the “funds”, aka the extorted money, will be invested in the environment, but one might be very skeptical about the truth of that promise.
However, the virus makes two things very clear: One, you cannot access your files anymore. Two, you are supposed to write an email to firstname.lastname@example.org. Your system is pretty much paved with this address – even your old files are now decorated with it.
Our copy of the virus encrypts all files that have one the following extensions:
.r3d, .rwl, .rx2, .p12, .sbs, .sldasm, .wps, .sldprt, .odc, .odb, .old, .nbd, .nx1, .nrw, .orf, .ppt, .mov, .mpeg, .csv, .mdb, .cer, .arj, .ods, .mkv, .avi, .odt, .pdf, .docx, .gzip, .m2v, .cpt, .raw, .cdr, .cdx, .1cd, .3gp, .7z, .rar, .db3, .zip, .xlsx, .xls, .rtf, .doc, .jpeg, .jpg, .psd, .ert, .bak, .xml, .cf, .mdf, .fil, .spr, .accdb, .abf, .a3d, .asm, .fbx, .fbw, .fbk, .bdb, .fbf, .max, .m3d, .dbf, .ldf, .keystore, .iv2i, .gbk, .gho, .sn1, .sna, .spf, .sr2, .srf, .srw, .tis, .tbl, .x3f, .ods, .pef, .pptm, .txt, .pst, .ptx, .pz3, .mp3, .odp, .qic, .wps
To not draw any attention to itself while going after its unwanted business, files on the desktop are not encrypted.
The encryption algorithm
Vipasana is interesting not only because of the fact that it doesn’t require an internet connection to run. As it turns out, it does also roll its own cryptographic algorithm, which proves earlier assumptions about the virus using AES wrong.
The following graphic shows a short overview of the Vipasana encryption algorithm.
The algorithm is a so-called stream cipher. A stream cipher works by first generating a stream of bytes, as long as the plaintext message to encrypt, and then combining this stream of bytes byte-for-byte with the plaintext message. This stream of bytes is called the keystream.
You can see the generation of the keystream in the upper right part of the diagram. First, we have a big block of random characters, 2048 to be exact, in the file. We also do have a list of 512 positions in the same file. Next, we use those 512 positions to choose 512 characters from the 2048 byte long block. What we have then is an internal state for the custom PRNG (PRNG stands for Pseudo Random Number Generator). The way this PRNG works is that it uses and manipulates the internal state during the generation of random bytes. If we start the PRNG with the same internal state, the PRNG will always generate the same bytes as a result. And the result of this operation is the keystream of the Vipasana stream cipher.
You see, if we know the state block source (which is the same for every encrypted file, by the way) together with the state block positions, we can calculate the internal state and reproduce the keystream again. Unfortunately, the state block source is itself encrypted with RSA, with the private key required for decryption in possession of the extortionist. So only he can recalculate the keystream.
Now, the bytes of the keystream are combined with the bytes of the plaintext file. The way this is done is as follows: There is an additional block of 20 characters (all numbers) in the file. For every byte of the plaintext file and the keystream, the next character of this additional block decides how they are combined.
Here is an example:
Obviously the calculation is done with bytes instead of integers, and there are 10 instead of only 2 algorithms. But as an example, this is sufficient. You see, each keystream byte is combined with a plaintext byte, depending on the global algo key.
The global algo key itself is the same for every file, as well. Unfortunately, it is also protected with RSA and therefore, we cannot recalculate it.
The fact that the state block source and the global algo key are encrypted with RSA makes it very hard to create a decryption tool for this type of ransomware, or in other words, to break the encryption. In the second part of this series, I take a look at why the encryption is still not secure enough to use it for an encryption solution. I discuss methods how you can protect yourself from ransomware, and what role Boxcryptor can play in that. Additionally, I released the reversed PRNG and the Vipasana stream cipher algorithm on GitHub. Read part II here.