So, understanding AES will be enough of a starting point to help identify other types going forward in a real-world analysis. In general, most synchronous encryption algorithms have a similar flow to this the differences may be the types of mathematical operations performed, but the core concepts remain the same. Starting off, below, we have the high-level flow of AES algorithm.
A basic understanding of some of the low-level details of how these encryption algorithms work will be necessary. When looking for statically compiled encryption code, as we mentioned, you will not have the luxury of searching for any API calls. The encryption implementation will likely be performed between these two points.
When this is the case, you must be able to understand the inner workings of encryption algorithms to be able to identify code.Ī file’s content will be encrypted and written back into the file, so a quick method to narrow down the general region where the encryption lies is to simply xref the ReadFile and WriteFile API calls. There are times, however, where the encryption is statically compiled into the malware or even a custom written encryption algorithm is used. This was the case for the previous ShiOne walkthrough. If this is the case, it can be quite simple to identify the algorithm. A lot of times, it’s as simple as looking at the API calls. Locating encryption algorithmsīefore you can even attempt to find the weakness, you must first know what was the encryption algorithm being used. These weaknesses can be anything from weak encryption algorithms and weak key generators to server-side vulnerabilities and leaked keys. What’s difficult is being able to identify and analyze the methods a programmer used for encryption and look for any weaknesses to exploit. There are a number of things that can go wrong for someone who is implementing encryption. That flaw is often a result of an error in implementation. In order for something as powerful as encryption to break, there needs to be some kind of secret flaw. Continuing on in our Encryption 101 series, where we gave a malware analyst’s primer on encryption and demonstrated encryption techniques using ShiOne ransomware, we now look at what it takes to break an encryption.