Author Topic: Undoing Ransomware (Read 3762 times)

Dimster · « **on:** July 30, 2019, 10:10:11 am »

Just read loudar's post here today on Encryption/Decryption, and in the news today is the theft of millions of personal data from Capital One. Typically that data may lead to emails carrying Ransomware. After reviewing loudar's algorythm I was wondering if it may be possible to write a QB64 program which could decrypt those files which may have been encrypted by a Ransom malware. Probably not?? Once the malware has control is there a way to run any defensive programs?? The bad guys do seem to be able to release your computer if you pay the ransom, so how do they do that? I have been notified a couple of times but some companies that they have suffered a breach and my personal info has been compromised but, knock on wood, I have yet to see any activity where some one has used my data.

Jack002 · « **Reply #1 on:** July 30, 2019, 10:47:41 am »

I have read a huge book on encryption. Depending on the type done, you are not gonna decrypt it and no one can. Look up the words "one time pad" sometime, imagine a 'key' of 1000s of unique characters, they all code how an encryption is done, without it you have nothing, you will not guess the key. We have come a long way from the code rings you would get inside cereal boxes shifting every letter one or more step left or right.

OldMoses · « **Reply #2 on:** July 30, 2019, 12:38:47 pm »

If you really, really want something, encrypt it yourself first and back it up somewhere. I'm partial to an older discontinued ap, as I don't trust more recent offerings to not have holes, and I'm not savvy enough to write my own. If you encrypt and backup, the ransomware perp has nothing but gibberish at his end, and you can reload after wiping the offending infection. I don't think there is any easy way around that, and we are pretty much at the mercy of these financial companies security practices. I imagine that we would be astonished at the goings ons... Modern computer encryption, I'll wager, makes Enigma look like a child's toy. I sincerely doubt that cracking ransomware is an option.

Petr · « **Reply #3 on:** July 30, 2019, 01:10:34 pm »

The possibility to encode something is great. I will recall one virus written by Czech university students. You know the old known OneHalf virus. Functional principle - hard disk boot sector encoding. If the system does not read the dirs and files position informations on the disc, the disc is unreadable. You won't do that in QB64. The only way to read and write to the bootsector is via C ++. Maybe another, but I don't know about her. It's basically the same thing as trying to read an audio cd over QB64. Without a C ++ middleman this is impossible.
The virus described is, I suppose, an old honest job. Such viruses are no longer written today. Today, they write stupid things like I Love You, which is based on the stupidity of Microsoft, which do not read the file header to assign content, but just the file extension.
Now imagine that today's computers have rewritable bios. That's just fun! That if you rewrite wrong, you can throw it in the garbage, or get the original bios version - if it can be again overwrited.
Oh my god, I was talking again more ...
Just if someone wants to encode it, it's best to format it and restore it from backups. The same thing with a virus attack (I'm talking about a home computer) - installing a system with a ready-to-use BR-RW that every proper programmer has ready (patting on the shoulder) takes half an hour. The work of stupid antivirus and other nonsense takes hours. So that's how I see it. As for passwords, I remember all of them and I didn't write them anywhere.

My problem is..... i dont know, where this BD-RW now is... :)

Dimster · « **Reply #4 on:** July 30, 2019, 01:19:49 pm »

Ya Andy, I have taken some measures but never thought of encrypting stuff on my computer(s). If, as Jack points out, you need the KEY to decrypt, could that not be found in the malware program? The malware program would be written is some language, say c++. If coding of that program could be captured and read, the KEY should be contained within it ..no? I recall, many years ago, an IT guy where I worked had a way of viewing the source code of an email attachment. I have no idea how he did it. I often see in some movies where the hackers have source code on their screens to alter - realize that's the movies where fantasy has it's own reality - Geeze, you would think it would pay the companies that hold your personal data to provide their customers with a program to protect against the crooks who have all your ID and financial info. I just recently was shopping for auto insurance. All of them wanted me to give them my ok for them to get a credit report and credit score before they gave me a quote. My auto insurance was running around $1000 per year, those insurers that I gave permission to where within a few hundred and the one insurer (who had a recent breach of customers data) I did not give permission to obtain a credit check unless they gave me the assurance that all my credit info would be deleted from their system if i did not accept their quote. They replied with a $3000 quote and said they could do better if I gave them the authorization to get my credit info. As far I know you need to provided credit info when you take out a loan, auto insurance isn't taking out a loan. Seems the Russians, Chinese, North Koreans are hell bent on hacking. If the banks, insurers and gov't agencies can't protect our data it likely will fall to each individual computer to protect itself. Boy, this turned into a rant - sorry about that.

Petr · « **Reply #5 on:** July 30, 2019, 01:34:27 pm »

It depends primarily on whether the data really should be able to recover the virus. There are viruses that can, but also those that only destroy data. It is enough to rewrite the first 40 bytes in the file and most of them will become unreadable for the programs. They will exist, but will not be readable, because there are records in the header about how to handle a particular file. Everyone can try how hard it is to break through. Make a zip file, enter your password when you compress it and try to find it in the zip file. Is there. But coded so you won't find it.

TempodiBasic · « **Reply #6 on:** July 30, 2019, 04:00:36 pm »

Interesting discussion...

about

Quote

If the system does not read the dirs and files position informations on the disc, the disc is unreadable. You won't do that in QB64.

I think that using an external library the direct access is possible.. see this https://docs.microsoft.com/it-it/windows/win32/api/fileapi/nf-fileapi-createfilea
https://docs.microsoft.com/it-it/windows/win32/devio/calling-deviceiocontrol
https://support.microsoft.com/en-us/help/100027/info-direct-drive-access-under-win32
https://docs.microsoft.com/it-it/windows/win32/fileio/disk-management-reference

and virtually if you are able to translate the CALL INTERRUPT to CALL ABSOLUTE correlate Hexcodes you can use interrupt to access to disk like made in QB45 in this example
https://www.tek-tips.com/faqs.cfm?fid=44

Petr · « **Reply #7 on:** July 30, 2019, 05:51:12 pm »

This is very interresting! Thank you!

Jack002 · « **Reply #8 on:** July 30, 2019, 07:09:16 pm »

Many years ago I wrote an encryption program. The basis was on the XOR function. If you take any byte and flip all it's bits, you have the inverse, and do it again and you have the byte back again.

I make a program that would open a file and read every byte and do an XOR on it and put it into another file, but so no one can just undo my work, it would take a key, I used 1000 byte key in a file, it was like my one time pad. You XOR the file one byte at a time while using the key as a mask. It would mask some bits and not others, you do that and you have an encrypted file.

To decrypyt, just do it again using the same key. If you don't ever lose the key the process is simple and foolproof. Lose the key or it gets comprimised and things get bad

Pete · « **Reply #9 on:** July 30, 2019, 08:23:44 pm »

I encrypted patient files before it became as widespread as it is today. provide you adequately password protect your system, no one who might break into your office would be able to access patient information. maybe I should have sold my system to Capital One. Capital One, what's in their wallet. Oh well, at least they caught the "person" who they strongly believed did the crime, because she was stupid enough to brag she hacked it on social media. Apparently she worked for Amazon for a very short period of time.

I hope they lock her up for 40 years or better still, treat this as a act of domestic terrorism and if she's guilty, throw her in Guantanamo and throw away the non-encrypted key. . Right now, the charges are just weak, something like computer fraud. What a stupid country we live in, just plain stupid.

Pete

keybone · « **Reply #10 on:** July 31, 2019, 12:19:57 pm »

My system's been encrypted since I installed it. The proper way to fix ransomware is to make sure it doesnt happen in the first place.
Good luck trying to hijack an encrypted linux system, they dont even try... They only waste their time on windows because it has the vulnerabilities to pull it off.

TempodiBasic · « **Reply #11 on:** August 01, 2019, 02:59:59 am »

Hi
about

Quote

The proper way to fix ransomware is to make sure it doesnt happen in the first place.

I can agree totally in the way that only a closed system makes sure it doesn't happen!
As like in QB64 you must first compile and then run the exe you are sure that until someone/something doesn't change your code your program is sure because you have compiled it just a second ago, in the same manner it is for open system.
I 'am not able to demonstrate that each open system is also not sure, but a discrete hacker can do it.
A times ago I read that in a challange about security between two groups of university students, somebody has been able to crack and infect linux system used on school machine that are closed to WWW but open to users! The article talked about injection of viral code into code of OS that is compiled at startup of the machine. :-) IMHO If you find a door you find the way to do all you want.

Thanks to read and to feedback!

Qwerkey · « **Reply #12 on:** August 01, 2019, 05:56:33 am »

Quote from: Dimster on July 30, 2019, 10:10:11 am

... possible to write a QB64 program which could decrypt those files ...

Well, good luck with that project! When you have written a Basic program to do that and sell it at $1, your fortune will be made (please hive off a percentage to Fellippe). Let us know from your Bahamian estate.

Dimster · « **Reply #13 on:** August 01, 2019, 08:04:20 am »

We are in the infancy of AI programming, which specializes in patterns. Maybe an AI program could work a solution to a virus or malware?

TempodiBasic · « **Reply #14 on:** August 01, 2019, 08:13:05 am »

in the late '90 I found on the that days on WWW a program that build up as many viruses as you want with so many flags about the action to do... just for cheaters... with that program you are able to make any kind of viruses for DOS an WIndows without no knowledge of programming and structure of OS and you get back the executable and the ASM code.... ;-)
I think that it can be build a program that acts to detect and find anything today ....

News:

Author Topic: Undoing Ransomware (Read 3762 times)

Dimster

Undoing Ransomware

Jack002

Re: Undoing Ransomware

OldMoses

Re: Undoing Ransomware

Petr

Re: Undoing Ransomware

Dimster

Re: Undoing Ransomware

Petr

Re: Undoing Ransomware

TempodiBasic

Re: Undoing Ransomware

Petr

Re: Undoing Ransomware

Jack002

Re: Undoing Ransomware

Pete

Re: Undoing Ransomware

keybone

Re: Undoing Ransomware

TempodiBasic

Re: Undoing Ransomware

Qwerkey

Re: Undoing Ransomware

Dimster

Re: Undoing Ransomware

TempodiBasic

Re: Undoing Ransomware