0

I have 2 different images, one original, and one locked by a malware detected by eset as "Win32/Filecoder.Q".

How to detect the encryption method that is used and the key, that is not using any public key/rsa/rc4 algorithm. There is diff:

original file locked file

If needed I can attached files (locked and original).

SEJPM
  • 45,967
  • 7
  • 99
  • 205
Daniel
  • 9
  • 1

1 Answers1

1

Filecoder.Q ransomware used one of three encryption algorithms: XOR ,Tiny Encryption Algorithm(TEA) and AES,but this ransomware does not encrypt beginning of the files so in your picture beginning of original and locked file are equal.if this ransomware uses XOR Algorithm then you can decrypt locked file with XORing original file and locked file(key Extraction) else if it uses TEA Algorithm then decryption of file is hard(but possible),but decryption of file when it uses AES is impossible.

  • Why do you say decryption is possible with TEA? It is secure, AFAIK. Do you mean some kind of attack exploiting its small block size? – otus Apr 25 '16 at 04:53
  • I tried to find key, for XOR algorithm, but no success – Daniel Apr 25 '16 at 06:18
  • @otus i speak about some cryptanalysis of TEA like this link:https://www.schneier.com/cryptography/archives/1997/11/related-key_cryptana.html –  Apr 25 '16 at 09:33
  • @Daniel you should XOR bits of original file with equivalent bits of locked file and the result is key,or you can use ESET Filecoder.Q Cleaner –  Apr 25 '16 at 09:40
  • @0skar, those are related key attacks, which are pretty much not useful in practice. – otus Apr 25 '16 at 13:20
  • @0skar Tried all of this. Maybe i was wrong saying it's written by a scriptkiddy. It's a more complex software i see. – Daniel Apr 25 '16 at 16:49