How Is Ransomware Data Recovery Possible?

You’re dealing with a ransomware infection. Is there any chance of recovery? 

That depends on the type of ransomware (or variant) and its sophistication. However, as bad actors have become more capable, so have cryptanalysts — and we’ve successfully restored data for hundreds of businesses and personal computer users who’ve been victimized by ransomware.

In this article, we’ll explain how modern ransomware works, how advanced techniques can bypass encryption, and why paying ransoms isn’t an option. To discuss your situation with an expert, call 1-800-237-4200 or submit a case online.

How Modern Ransomware Works (When It Works)

Early forms of ransomware would sometimes store the decryption key on the victim’s machine, or simply lock the screen without encrypting data. Unfortunately, as ransomware has become a lucrative “industry,” variants have become much more sophisticated. 

Typically, modern ransomware variants will follow this sequence: 

1. The ransomware generates a random, unique symmetric key, often 128- or 256-BIT AES or a similarly secure cipher. Some variants may generate keys for each individual file, which greatly complicates data recovery.
2. The ransomware encrypts the target files. Many variants will specifically target databases, emails, and other high-value files, though some will simply encrypt everything on a drive. Less-sophisticated variants may only encrypt the beginning of each file, which can create an opportunity for recovery.
3. The ransomware uses a pre-embedded asymmetric public key (typically an RSA-2048 or RSA-4096 public key) to encrypt the symmetric key(s) used for file encryption. This public key belongs to the attacker, and its corresponding private key is kept secret on the attacker’s command-and-control (C2) server. It is never exposed on the victim’s network.
4. The ransomware securely erases the original symmetric key from the system’s memory to prevent recovery.

Some advanced ransomware families add further complexity to this chain. Variants like WannaCry and Crytox generate a unique client-side RSA key pair on each infected machine. The symmetric file keys are encrypted with the client’s public key, and the client’s private key is then encrypted with the attacker’s master public key. This layered approach means the victim only needs to send the small, double-encrypted client private key to the attacker for decryption (as opposed to thousands of individual file keys).

So, given the high degree of sophistication here, how is data recovery possible?

Ransomware Recovery: Potential Techniques for Decryption

Theoretically, a hybrid encryption model will leave the victim with no alternative; the only way to restore data is to pay the ransom. But in real life, complex software is — well, complex. The more steps that a ransomware creator takes to accomplish their goal, the more they introduce potential points of failure.

To put it simply: Cryptography is difficult to get right. Homemade algorithms are frequently riddled with subtle flaws that can be systematically broken by trained cryptanalysts.

A great example is the Hive ransomware case. South Korean researchers performed a deep analysis of its encryption process and found a significant flaw: The malware made a critical error by storing pointers to the locations of its keystreams within the encrypted file’s name. This flaw allowed the researchers to devise a method to recover the master key — although the Justice Department had busted Hive by that point.

Other potential techniques include:

• Key Reuse Attacks: If an attacker reuses the same key to encrypt different pieces of data with a stream cipher, it becomes possible to decrypt both messages. Recovery engineers compare two or more encrypted files to find relationships between the keystreams. 
• Weak Key Generation. The security of any encryption system depends on the randomness of its keys. If a malware author uses a weak pseudo-random number generator (PRNG) or seeds a strong one with a predictable value, the entire system can collapse. For instance, the Crytox ransomware was cracked because it seeded its key generation with a Windows function that simply represents the number of milliseconds since the system last booted. That was a highly predictable 32-bit number, so it was fairly easy to “brute-force” the seed value and regenerate the exact AES key used to lock the files.
• Memory Forensics. Before a key is used or stored, it must exist in its plaintext form in the computer’s volatile memory (RAM). While ransomware tries to securely wipe these keys, a window of opportunity often exists to capture them. Live memory analysis (or memory forensics) involves taking a complete image of a system’s RAM while the infected machine is still running. During the WannaCry/WannaCrypt outbreak, we found that on systems that hadn’t been rebooted, the prime numbers used to generate the RSA private key could be recovered from memory, allowing for full decryption.
• Known-Plaintext Attacks. This classic cryptanalysis technique is viable when an analyst has access to both an encrypted file (ciphertext) and its original, unencrypted version (plaintext). By comparing the two, it’s possible to reverse-engineer the key, especially against improperly implemented or custom ciphers. 
• Operational Failures and Leaked Keys. Sometimes, the path to decryption comes from the attackers’ own mistakes. In early 2022, after the Conti ransomware group sided with Russia in the invasion of Ukraine, a disgruntled insider leaked years of the group’s internal chat logs, along with source code and private decryption keys.

Ransomware Recovery: Steps to Take

Of course, finding ways to crack ransomware isn’t easy — and some variants are much, much more effective than others. But if you’ve lost data due to a ransomware infection, recovery may be possible.

To maximize the chances of a successful recovery, we recommend taking the following steps: 

• Do not use data recovery software on the infected computer. Commercial data recovery software cannot recover encrypted files (regardless of the software’s claims). 
• Write down or copy any messages that appear on the infected machine. Recovery specialists will need to analyze the ransomware to create a decryption strategy, and ransom messages often provide a quick way to definitively identify the variant. 
• Don’t turn off the machine right away. Contact a ransomware specialist first — as we discussed earlier, some infections may be resolved through memory forensics, and you may need to keep the computer powered on for these techniques to work. 
• If the infected machine is on a network, disconnect it from the network to prevent the infection from spreading.
• Don’t pay the ransom. In many cases, paying for decryption is illegal, and it’s always a bad practice (and given that many ransomware payments don’t result in file decryption, it’s not a wise move). 

Datarecovery.com has developed methods for addressing many ransomware infections remotely or onsite. If you’ve encountered data loss due to malware, we’re ready to help.

Call 1-800-237-4200 or submit a case online to get started.