0

I read this answer Ransomware encryption keys and understood how wannacry works. But I still have a question: as I understand, the hacker will put the hacker's RSA public key in the malware, the victim machine will randomly generate an AES key, after encryption is complete, the malware will encrypt the AES key with the hacker's RSA public key and saved on the victim's computer, the victim buys the key, the hacker will ask to send the encrypted AES Key file to him and then he will decrypt and send it back https://qr.ae/pskG5A.

But when reading analysis articles about wannacry, I see that both the hacker and the victim must each generate a pair of keys, the victim's private key will encrypt the AES key and then the hacker's public key will encrypt the victim's private key. Why waste time generating an additional key pair on the client? What is the effect of creating a new RSA keypair on the machine being infected?

Improve this question

1 Answer 1

Reset to default
1

Your description isn't accurate. WannaCry generates a unique AES key per file and encrypts each file with the corresponding key. Encrypting those AES keys with the WannaCry public key is technically possible, but then each victim would have to send all AES keys to the perpetrators for decryption. This isn't very practical. Instead, WannaCry generates a per-infection key pair on the victims device, encrypts all AES keys with the public key and encrypts the private key with the WannaCry public key. Now the victim only has to send the encrypted private key to the perpetrators. Once this key is decrypted, all AES keys and then the corresponding files can be decrypted.

Instead of using a per-infection key pair, WannaCry could also create a single AES key and use it as a Key Encryption Key (KEK) for the file keys. However, this would require the KEK to be in RAM during the entire file encryption process, increasing the chance of leaking it. It's possible that the WannaCry authors tried to avoid this by using asymmetric cryptography where the public key (for encryption) doesn't have to be kept secret.

Improve this answer
3
  • Thank you, after seeing your answer I went to find the repo that replicates wanna cry and learned more about how to save encrypted AES KEYS, it seems that recent ransomware encrypts each file with corresponding key, but I'm still worried about the aes key being stored in memory after reading cs.utep.edu/CFIA/files/outreach/WannaCryKeyRecovery/… and diyinfosec.medium.com/scanning-memory-for-fek-e17ca3db09c9. If I clear and flush every time I use important variables such as keys or private keys, is it possible to recover?
    – Thanh
    Commented Apr 20 at 6:21
  • I'm not sure what you're asking. Are you interested in how you – as a (hypothetical) victim – could extract the keys from RAM? Or are you trying to “improve” WannaCry and prevent the keys from getting leaked?
    – Ja1024
    Commented Apr 20 at 9:43
  • I'm just curious, I'm also learning about lockbit3.0, its encryption process is similar to wannacry but does it have any improvements to not be decrypted like wannacry?
    – Thanh
    Commented Apr 20 at 10:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .