-2

Recent news reports show that the UK's NHS (Nation Health Service) has suffered a major ransomware attack which is also affecting other parts of the world especially Spain and Russia, the effect is to essentially lock out users from files unless a ransom is paid within a stated period of time, beyond which the files will either be permanently encrypted or deleted.

Would it be possible to break this encryption or similar if there was an army of 'reservists' PCs. So example a million PC users signed up to allow their PCs to be used to break such encryption if their was a serious attack. In other words what we be the minimum number of networked PCs you would need to realistically break encryption applied to a critical system, and could such a system be implemented?

Naz
  • 125
  • 4
  • 6
    1 (in theory), namely a backup server with fully-automatic backups. – SEJPM May 12 '17 at 19:22
  • @SEJPM Assume that anything that is on the same network as the malicious file has been compromised. So your backups are not a viable backup option. – Naz May 12 '17 at 19:44
  • 6
    If your backups can be deleted / modified, you didn't make them properly. – SEJPM May 12 '17 at 19:49
  • @SEJPM What I mean is say you have a malicious piece of code that sits silently for 6 months to a year adding a file to the location everyday. Then one day the ramsonware screen pops up, so you decide to wipe everything and go back to yesterdays backup, except that file that was placed in the backup now becomes active realises it is from a backup (creation date vs current date) and locks everything, so you go to the previous day/week/month/year, same thing, essentially rendering your backups useless. Assuming you have an old enough back to recover you still have irretrievable data loss. – Naz May 12 '17 at 19:54
  • a) I would only expect this sort of wait time for attacks on high-value targets. b) If you are the victim of such an attack, there's little you can do. c) Such targeted attacks usually have more explicit goals than just to make some money, but rather focus on data exfiltration or plain destruction. d) If you are to assume such a privileged position for malware, there's just about nothing you can do, especially if the author knew what he was doing. – SEJPM May 12 '17 at 20:08
  • @SEJPM The NHS/Healthcare systems are high value targets. Today could be orders of magnitude worse if backups are useless. – Naz May 12 '17 at 20:21
  • 1
    Related: Brute force attack expected running time – e-sushi May 12 '17 at 21:54
  • @naz Simple answer. No matter how many computers you add to your network, you'll not have enough. It's not possible. And I'm sorry that you don't like the answer of backups, but that's one of the best solutions. – Awn Sep 26 '17 at 07:15

2 Answers2

4

No amount is enough, to break the encryption.

If the ransomware was engineered "properly", they could make sure that their crypto follows best practices making it practically unbreakable within our current understanding of physics. This is due to the fact that current cryptographic primitives have been designed with all kinds of threats in mind (including access to large amounts of plaintext-ciphertext pairs).

However there's a simpler solution to this (actually two):

  • Security updates. Large parts of the affected systems are still running on Windows XP even though the relevant, wormed vulnerability (ETERNALBLUE) has "long" been fixed by Microsoft for supported OSs (like Windows 10 and Windows 7). So the fix is obvious: Update to supported systems and actually patch them.
  • Backups. If you can just recover the data from a fresh (automated) backup onto your systems, there's no need to invest ressources in finding flaws in the ransomware, you can just wipe the machines, restore from the backups and be done.

So TL;DR: No amount of computers will help, only proper preparation.

SEJPM
  • 45,967
  • 7
  • 99
  • 205
3

Would it be possible to break this encryption or similar if there was an army of 'reservists' PCs.

The short answer is no.

So example a million PC users signed up to allow their PCs to be used to break such encryption if their was a serious attack. In other words what we be the minimum number of networked PCs you would need to realistically break encryption applied to a critical system, and could such a system be implemented?

The keyword that makes it to where you can't answer this qualitatively is "realistically". We could go on with assumptions about how much matter/energy there is in the universe and how much it requires to compute a guess at the key, but such assumptions will quickly violate the "realistic" requirement.

Cracking the key is not a realistic strategy in general

As long as the key is generated correctly and of sufficient size, guessing the key is not a realistic option in general.

However, that does not mean there does not exist a realistic option for recovering the key in the ransomware scenario.

For example, it might be possible, in certain situations, to recover the key from memory after the files have all been encrypted. It is possible that the malware did not erase the key from memory after it was done using it. It is alternatively possible that the key ended up somewhere on the hard drive, as the memory that the key was in could have been swapped out at some point.

However, recovering this information is non-trivial to the average person. And such situations do not endure forever - writing over the memory or shutting the machine off could/would ruin your opportunity take advantage of such situations.

The real solution to ransomware

As SEJPM pointed out, the real answer to ransomware encrypting your hard drive is much more mundane: standard preventative maintenance in the form of regular off-site backups.

Ella Rose
  • 19,603
  • 6
  • 53
  • 101
  • As mentioned in the original post comments, backing up should not be considered the panacea to attacks. – Naz May 12 '17 at 20:25
  • 1
    @Naz I have read the comments and from them obtained the opposite understanding to what you are claiming; Upon reading them again, I conclude that backups that are stored securely, off-site, and loaded onto a fresh, new device are in fact the single best means to thwart ransomware. However, in many cases it is simply too late to do this; This does not mean it is not the right solution, just that it was not implemented. For such cases, I mentioned a few more realistic ways to recover the key without paying the ransom or "breaking the encryption" (which is hollywood inspired nonsense.) – Ella Rose May 12 '17 at 21:07
  • Backups may work today, but tomorrow when you find all your backups to be contaminated, with no chance to recover the key from memory? is the world literally a few steps away from an unrecoverable data armageddon. – Naz May 12 '17 at 21:18
  • 2
    @Naz "but tomorrow when you find all your backups to be contaminated" - assuming you fulfilled the promises of "stored securely" and "off-site", then this implies some type of apocalypse sort of scenario. In such a scenario, your data is probably not even your primary concern anymore.

    " is the world literally a few steps away from an unrecoverable data armageddon" No. There is no reason to believe this is the case.

     – Ella Rose May 12 '17 at 22:03
  • It's no programming hardship to let a piece of malware sit on a network for weeks or months to contaminate the backups. That's not an apocalypse type of scenario, its just a progression of what we are seeing today. It renders 'secure' and 'off-site' useless. – Naz May 12 '17 at 22:20
  • I'm sorry you can keep pilling on, but there's no silver bullet for you here. Either you prevent your system from becoming infected, or you have a viable recovery plan. – DaveM May 14 '17 at 19:32