RSA-4096 Cryptography Abused by Cyber Malefactors

Malicious software moved into the crypto domain several years ago and has since formed a whole new darknet industry. These infections encrypt files on victims’ computers and hold them for ransom, leveraging different crypto standards to ensure data inaccessibility. The RSA-4096 cryptosystem is used by a number of widespread ransomware strains, including TeslaCrypt and the more recent CryptXXX pest.

Why is RSA-4096 the perpetrators’ algorithm of choice in some of the best-orchestrated campaigns? This is a public-key cryptosystem that uses two tokens in the course of encoding: public key and private key. The latter is the one necessary for recovering the information. The problem with ransomware is that this high-entropy piece of data is sent to the criminals’ remote Command and Control server right after the file encryption routine has been performed. Brute-force attacks aren’t efficient in this scenario, because they would require huge computation power that’s not available to the average end user.

RSA-4096 based crypto viruses usually slither into Windows machines via two channels: social engineering and exploit kits. The former methodology is more frequently encountered, mostly because it’s simpler for hackers to implement. A targeted user discovers a new incoming message in their webmail panel, opens it and sees something catchy, for example a job application with an enclosed resume, a missed delivery report or a traffic violation notice. Once the attached ZIP archive or PDF file is opened, it’s a matter of seconds for the ransomware to be executed on the PC.

The other contamination technique relies on redirecting potential victims to pages that host an exploit kit, which in its turn finds and uses vulnerabilities in software like Adobe Reader or Java on the computer.

Ransomware extorts ransoms of different size, but they are usually set to 1-1.5 Bitcoins, or approximately 500 USD. Thankfully, there have been some breakthroughs in recovering data without submitting the ransom, but this doesn’t apply to the majority of samples. Anyway, prevention is better than cure, so it’s recommended to keep the most targeted software up to date and abstain from opening suspicious email attachments.