This blog is part of our live coverage from RSA Conference 2022:
Prometheus—a ransomware build based on Thanos that locked up victims’ computers in the summer of 2021—included a major “vulnerability” that led security researchers at IBM to try and build a one-size-fits-all ransomware decryptor that could work against multiple ransomware variants, including Prometheus, AtomSilo, LockFile, Bandana, Chaos, and PartyTicket.
Though the IBM researchers managed to undo the work of multiple ransomware variants, the panacea dream decryptor never materialized.
IBM global head of threat intelligence Andy Piazza said that the team’s efforts revealed that even though some ransomware families can be reverse-engineered to develop a decryption tool, no company should rely on decryption itself as a response to a ransomware attack.
“Hope is not a strategy,” Piazza said at RSA Conference 2022, held in San Francisco in person for the first time in two years.
IBM security research Aaron Gdanski, who was aided by security researcher Anne Jobman, said his interest in building a Prometheus decryption tool began after one of IBM Security’s clients was hit with the ransomware. He began by trying to understand the ransomware’s behavior: Did it persist in the environment? Did it upload files anywhere? And how, specifically, did it generate the keys that were used to encrypt files?
By using the DS-5 debugger and disassembler, Gdanski found that Prometheus’ encryption algorithm relied on both “a hardcoded initialization vector which did not change between samples” and the uptime of the computer. Gdanski also learned that Prometheus created its seeds by relying on a random number generator that, by default, used Environment.TickCount.
These discoveries revealed a key vulnerability in Prometheus, Gdanski said. If he could find when Prometheus encrypted files on the system, he could then likely generate the same seed that Prometheus used for that decryption.
“If I could obtain the seed at the time of encryption, I could use the same algorithm Prometheus did to regenerate the key it uses,” Gdanski said.
Equipped with the boot time on an affected machine and the recorded timestamp on an encrypted file, Gdanski then had a starting point to narrow down his work. After some additional calculations, Gdanski generated a seed from Prometheus and he tested it on portions of encrypted files.
With some fine-tuning, Gdanski’s work paid off.
Gdanski also learned, though, that the seed changed depending on the time when a file was encrypted. That meant that one single decryption key would not work, but by sorting the encrypted files by the last write time on the machine, he was able to slowly build a series of seeds that could be used for decryption.
The success, Gdanski said, could be applied to other ransomware families that similarly relied on flawed random number generators.
“Any time a non-cryptographically secure random number generator is used, you’re probably able to recreate a key,” Gdanski said.
But Gdanski emphasized that this flaw is rare from what he’s seen. As Piazza reiterated, the best defense to ransomware isn’t hoping that the ransomware involved in an attack has a sloppy implementation—it’s preventing a ransomware attack before it happens.
For the latest on current ransomware activity, read our May ransomware review here. You can also read about some lessons from the real-life ransomware attack on Northshore School District here.