I don't believe these people are 'cracking the encryption'.
Any virus writer is going to know how to use public-private crypto to encrypt the files in a non-reversible way. Only an amateur would use a basic XOR key or reverseable encryption with the key embedded in the binary.
Another commenter suggested the C&C server gets broken into. I doubt that too, since the criminals private key can sit entirely offline - all they have to do is periodically check for cryptocurrency payments and then publish the keys for the users who have paid to somewhere like pastebin, IPFS, etc. No real way to track the computer doing that, let alone break into it.
There are certainly criminals who know what they're doing, but there are also plenty of them that don't.
Also, the C&C kind of does need to be online because it needs to hand out keys to paying "customers" instantly. I mean, it doesn't have to be, but not doing it is probably worse for business than losing a couple days worth of ransom from time to time.
Edit: Also keep in mind that the good people can often get decently paid legit jobs. Ransomware is profitable, but when you consider how many people will be splitting the loot, the need for tech support, the need to launder the money, the higher risk (translating to higher costs) of being a criminal, it's probably not even profitable enough to attract the best. Hiring competent people for security jobs is hard even for legit companies, and being a criminal gang won't make it easier.
It's an arms race. The incompetent criminals are being weeded out while the system lets the apt ones thrive. It's telling that computer fraud has grown while low-hanging fruit is being showcased.
Also, competent engineers are not employed by mafias, they are coerced into. Money is just an added bonus.
Yes they are cracking the encryption. Files are not encrypted with public-private-crypto, they must use a symmetric key to encrypt gigabytes of data. Then they make a mistake in keeping that in memory and the crack is to get that.
Cryptographer here. Yes, in principle encryption is relatively easy to get right. The amazing story of ransomware is how often live ransomware packages have gotten the basics wrong: everything from using sub-200-bit RSA keys to leaving the encryption keys in RAM on an encrypted machine [Wannacry]. There have also been private key recoveries from captured C&C infrastructure. This sort of least-effort incompetence is absolutely the best thing about the project of ransomware. The bad news is that they’re getting better at it, unfortunately.
The reason I have doubts that there's someone "periodically checking payments" is that I've personally sat in on several payments. Without fail, you send BTC and within a few seconds (presuming you spam F5) the website updates to say "payment detected" followed by the key popping up on screen, on the website the ransomware originally directed you to.
Just a tangential question: How to people manage to have ransomware on their computer generally ? Do they just run untrusted software on their machine ?
Precisely. Either in the form of AIDS.exe they thought was "that jewel game from the Yayhoos", or your secretary who received an email that said "I can't believe this is you!" and then executed macros in a malicious MS Word or PowerPoint file.
Phishing/downloading infected files. The infection can then potentially spread across the network if/when the infrastructure is running outdated and unpatched systems using publicly known exploits.
Patch your systems and maintain backups if you want to avoid this!
>To the untrained eye, the code of a computer virus is just a jumbled mess of letters, numbers and symbols.
>But to Fabian Wosar, each line is a clear instruction. He knows and understands every digit and dot in the same way a pianist would read a page of musical notes.
This stood out to me as a strangely flowery description of reading asm, but apart from that the article was quite engrossing. Props to Fabian.
Getting encryption right is hard, even if you're using a good algorithm.
Somewhat competent people get it wrong all the time, and the people writing ransomware are often... less competent than that.
Using a static symmetric key for all victims, generating individual keys in an insecure way, 256-bit RSA keys (not sure if this one has happened with ransomware, has happened with legit software), reusing the stream of a stream cipher, using formerly-believed-to-be-secure ciphers like RC4, ...
It's not that hard to get the encryption right, but there's plenty room for failure, especially if you aren't an expert.
Encryption is all about thoroughness and due diligence, which aren't a priority for malware developers. When doing any real implementation, there are many minor, innocuous things that can be (ab)used to break your secrecy. It's like a test where you do 999 things right and get one thing wrong, then you fail.
The common way these are "cracked" is that the C&C server - which observes payments and hands over keys - is itself compromised.
There are a lot of news articles I read about people "cracking ransomware encryption" and, aside from some early versions that had basic crypto bugs, I'm extremely suspicious of anyone claiming to do so. There are a number of companies I'm aware simply pay the ransom, then charge a huge markup to claim they "cracked the encryption", so it's better for their business to support the view there are elite hackers somehow breaking RSA every time ransomware uses it.
Any virus writer is going to know how to use public-private crypto to encrypt the files in a non-reversible way. Only an amateur would use a basic XOR key or reverseable encryption with the key embedded in the binary.
Another commenter suggested the C&C server gets broken into. I doubt that too, since the criminals private key can sit entirely offline - all they have to do is periodically check for cryptocurrency payments and then publish the keys for the users who have paid to somewhere like pastebin, IPFS, etc. No real way to track the computer doing that, let alone break into it.