3

I am writing regarding a certain ransomware program called cryptowall (prop 4.0). I have lost many documents to this, and as it so happens, I have a few file duplicates before and after they were forcefully encrypted.

My question is whether or not it is possible for someone knowledgeable to figure out the key used and decrypt these particular files by comparing the two copies? Thanks for taking the time to even read this; you can't imagine how important these documents are to me, pretty much 8 years of work.

Will
  • 105
  • 4
geok
  • 31
  • 1

2 Answers2

3

Cryptowall (from about version 3 and onward) uses AES encryption. The kind of attack you are describing to recover the key(s) used is a known-plaintext attack. Even with an absurd amount of plaintext-ciphertext pairs, there are no known reasonable attacks on AES in the foreseeable future. The AES key itself is encrypted with RSA, but the known plaintexts aren't relevant, as the RSA key is not used to encrypt your files directly.

If you can't live without the documents, your only real option is to pay the ransom. The only other option is to live without your files, and hope that in the future the perpetrator is arrested and the keys are released.

And of course, be sure to keep your antivirus software up-to-date and follow other good practices in the future.

Chris
  • 243
  • 6
  • 12
  • As mentioned in the dupe, this is not entirely accurate. At least some versions of CryptoWall use RSA directly, rather than the normal hybrid encryption with AES. – otus Feb 22 '16 at 14:59
  • @otus Clarified. – Chris Feb 22 '16 at 20:02
0

if you implement AES properly,then encrypted files by your ransomware are impossible to decrypt even for NSA, because of AES is not breaking nowadays,otherwise see For example this link that weakness in implemention of cryptographic algoritm results to deacrypt ransomware files!

best way to protect yourself against ransomwares is backing up your files in external hard disk,periodically.