When a ransomware attacker isn’t up to snuff- a rookie mistake shows hackers aren’t all geniuses

For more than two decades, ransomware attacks have been the bane of corporate IT managers and their CEOs, and a source of much research for cybersecurity professionals. An underground market for hacking and encryption tools has helped such incursions proliferate, but thankfully a recent case shows what we can learn when attackers don’t know what they’re doing. 

Unlike other cyber nuisances, such as viruses, which replicate and cause mayhem, or denial of service attacks, which bring networks to a grinding halt, ransomware is almost impossible to unwind once it’s been deployed successfully. That’s because they use encryption to lock up the files, with a secret decryption key being the only route out. 

Rather than try to undo this encryption, most victims just write off the files and restore their systems using backups. This can take days or weeks, assuming the target has good data practices, while still costing millions of dollars. It may be impossible if secure backups don’t exist. And that’s what ransomware attackers are betting on: the losses from restoring systems are so high that a target is willing to pay to get a copy of the digital key, which can decrypt the files and restore everything to normal. 

But what hackers don’t bet on is savvy cybersecurity professionals coming across rookie mistakes in the malware code that lets them reverse the encryption without paying a dime to the assailant.

A group at International Business Machines Corp.’s X-Force team did just that. Taipei-based CyCraft Corp. also managed to find the flaws and offered decryption tools for free.

In an article on IBM’s Security Intelligence website, and a recent presentation at the RSA Security Conference, the researchers outlined how they spotted an error within the code of the Thanos family of ransomware. Prometheus, a variant of Thanos, is believed to have struck at least 30 victims in industries including manufacturing, logistics and finance.

It all centers around randomness. This quality is one of the most important aspects of good encryption because encryption-decryption keys — they usually come as a mathematically linked pair — rely on being almost impossible to guess. And because these digital passwords are so long, a brute-force attack — scrolling through each possible combination to find the one that works — is infeasible.

Unfortunately, machines are terrible at randomness, it’s against their nature. (Computers are incredibly predictable: The same inputs put through the same system will always return the same result.) So to create randomly generated keys, computer scientists have developed pseudorandom number generators that mimic true randomness.(5) When used correctly, these software tools can do a very good job of creating passwords and encryption keys that are hard to crack.

But the writers of Thanos didn’t use those tools properly. Instead, they hard-coded one part of the process, and used the very predictable clock time of the victim computer for another.

Researchers uncovered that first part (it was a sequence of numbers counting from one to eight), and merely had to find how long the computer had been running before the malware was deployed.(4) It took a bit more sleuthing and some hit and miss, but eventually they could make educated guesses. From there, it was just a matter of plugging the numbers together to see if they could create a cryptographic key which would match. And they did. As a result, the malware’s super secret key wasn’t as hard to guess as its developers thought.

Beyond just outlining some clever investigative work by the cyber-intelligence community, the case of Thanos’s faulty encryption reveals a lot about modern hacking. First, as researchers well know, a lot of this malicious software is recycled among a vast community of would-be attackers, many of whom don’t really understand the tools they’re using.  In addition, the people who hack into computer systems and those who write the malware tools — often distinct groups — aren’t always experts in their fields. Using a hard-coded initialization vector is a pretty basic mistake. This means that flaws are often repeated, and offer researchers the kind of digital fingerprints they need to track and defend against growing threats.

As ransomware attacks grow in size and scale, it may be at least some consolation to know that not all hackers are geniuses.

Tim Culpan is a Bloomberg Opinion columnist covering technology in Asia. Previously, he was a technology reporter for Bloomberg News.