SoylentNews is people
SoylentNews
Security researchers have released tools this week that could help users recover files encrypted by two relatively new ransomware threats: Bart and PowerWare.
PowerWare, also known as PoshCoder, was first spotted in March, when it was used in attacks against healthcare organizations. It stood out because it was implemented in Windows PowerShell, a scripting environment designed for automating system and application administration tasks.
Researchers from security firm Palo Alto Networks have recently found a new version of this threat that imitates a sophisticated and widespread ransomware program called Locky. It uses the extension .locky for encrypted files and also displays the same ransom note used by the real Locky ransomware.
This is not the first time the PowerWare/PoshCoder creators have imitated well-designed ransomware threats, probably in an attempt to convince users that there's no point in trying to recover their files without paying. In the past, they've used the CryptoWall and TeslaCrypt ransom notes.
Luckily, PowerWare is nowhere near as strong as the ransomware programs it impersonates. It uses the AES-128 encryption algorithm, but with a hard-coded key, which allowed the Palo Alto researchers to create a decryption tool that should work at least for this latest variant.
Also this week, researchers from antivirus firm AVG managed to crack another ransomware program called Bart that first appeared in June. This threat is notable because it locks files inside password-protected ZIP archives instead of using sophisticated encryption algorithms.
Bart infections are easy to identify because the affected files will have the extension .bart.zip appended to their original name and extension -- for example document.docx will become document.docx.bart.zip.
Bart's ZIP-based encryption uses a very long and complex password, but the AVG researchers have figured out a way to guess the key using brute-force methods. Their Bart decryption tool requires the user to have at least one unaffected copy of a file that has been encrypted.
-- submitted from IRC
(Score: 3, Insightful) by frojack on Monday July 25 2016, @07:45PM
Can't that be generalized into a vulnerability in ZIP encryption itself? Or is this an already well-known vulnerability in ZIP?
Given a cleartext source document and an encrypted version, almost any encryption method can be brute forced.
Not just a Zip weakness.
No, you are mistaken. I've always had this sig.
(Score: 1, Informative) by Anonymous Coward on Monday July 25 2016, @08:13PM
Given a cleartext source document and an encrypted version, almost any encryption method can be brute forced.
Not just a Zip weakness.
This is not just plain false.
For example, consider the following. Source "hello world", encrypted "telrehbesty". Given that, please decrypt, "tosbunosesb". As a hint, I'm using a one-type pad.
For a less degenerative case, try runing a large binary file through AES256. Even given the source file and the cyphered file, it's not at all trivial to break out the key and create a general crack which would be able to decrypt another file with the same key.
(Score: 2) by frojack on Thursday July 28 2016, @04:25AM
For example, consider the following. Source "hello world", encrypted "telrehbesty". Given that, please decrypt, "tosbunosesb". As a hint, I'm using a one-type pad.
Sure. Just give me the clear text to "tosbunosesb".
The operative phrase was "almost any encryption method".
Automated malware encryption systems don't ever use one time pads. Because the malware author would have to remember the one time pad for EACH victim.
No, you are mistaken. I've always had this sig.
(Score: 2) by ticho on Tuesday July 26 2016, @09:47AM
(partly answering my own question) https://en.wikipedia.org/wiki/Known-plaintext_attack#Present_day [wikipedia.org]