what is RSA-4096 ransomware and how to protect against it

RSA-4096 ransomware is a type of cyberattack that utilizes a specific encryption method to lock down a victim’s data, making it inaccessible unless a ransom is paid. The RSA-4096 encryption method is often used in secure communications and data protection, as it is considered one of the most robust encryption algorithms available. It employs a 4096-bit key, which provides a high level of security and is commonly used for safeguarding sensitive information during transmission.

The RSA system is highly respected and is at the core of widely-used secure connection systems, such as HTTPS. However, ransomware operates by encrypting a victim’s data and then charging for the decryption key. That process can use any encryption cipher – some use RSA-4096. So, just to be clear, RSA-4096 isn’t ransomware; it is a valid security measure. However, some ransomware uses RSA for its encryption mechanism.

While RSA encryption is a powerful tool for securing data, it can also be weaponized by malicious actors who take advantage of its widespread use. This highlights the importance of understanding encryption technologies and employing additional layers of security to protect against ransomware attacks that leverage such sophisticated encryption methods.

Ordinarily, the victim of a ransomware attack isn’t told what type of encryption was used to lock up affected files. Honestly, that isn’t the first question that springs to mind when a company is being blackmailed by some outsider who is holding its files hostage. Cybersecurity researchers look into such matters and publish profiles of each new ransomware strain, detailing its characteristics, including its encryption cipher. This is how we now know which ransomware systems used RSA-4096.

What is RSA?

The name “RSA” applies to an encryption cipher and the business that manages and distributes the encryption system. That business is called RSA Security LLC.

Three people created the RSA encryption system:  Ron Rivest, Adi Shamir, and Leonard Adleman. The name of the system comes from the first letter of those three surnames. Then working at the Massachusetts Institute of Technology (MIT), the three devise RSA in 1977. The product they created got a patent in 1983. But, unfortunately, that patent was awarded to MIT, not the three individual inventors.

Despite not owning the patent, the three agreed with MIT to get exclusive use of the technology they invented and created the RSA company. The original patent of RSA encryption ran out in September 2000, so the formula for RSA became public knowledge.

RSA encryption is the security feature that turns the Hypertext Transfer Protocol (HTTP) into the Hypertext Transfer Protocol/Secure (HTTPS). It is responsible for protecting Web transactions and is also widely used in virtual private network (VPN) systems.

So, RSA is not ransomware; it is a protection system for internet transmissions. However, the structure of RSA makes it ideal for hackers who are creating ransomware.

What is asymmetric key cryptography?

The formula used to decrypt data in an asymmetric key encryption system is different from the formula that encrypted it. The two formulas can arrive at the same results by using other keys. The key is a variable – it is one of the numbers that plug into the formula and alter its effects. Therefore, it does you no good if you know the formula because you still won’t be able to decrypt someone else’s encryption if you didn’t have that missing number. That is why the RSA system could survive and prosper even after the formula became public in 2000.

For a simple explanation of asymmetric cryptography, consider that 2 x 10 = 20 and 4 x 5 = 20. Imagine that the encryption formula involves adding a number to the ASCII code for a character. That number is derived by the formula: 2 x y. You can decrypt that text by subtracting a number and producing the original ASCII code. The decryption formula is 4 x z. So, if you want someone to encrypt a text that your different decryption key will unlock, you generate key pairs y and z. You send y to your correspondent for encryption. The correspondent then sends you the encrypted text, and you decrypt it by using the decryption formula, plugging in z.

In RSA, the formula is infinitely more complicated than the example given here. It is so clever that it is impossible for anyone who intercepts the encryption key to work out what the decryption key is. In the RSA system, you can’t decrypt a text by using the encryption key.

In asymmetric cryptography, it is common practice to publish the encryption key but keep the decryption key a secret. Thus, the encryption key is also known as the public key, and the decryption key is called the private key. Therefore, asymmetric key systems are also known as “public key encryption”.

What is 4096?

The key can be easy to guess by substituting possible values. This is called a brute force attack. However, the time it takes to crack an encryption key by cycling through every possible value gets more complicated with longer keys.

The length of encryption keys is expressed in bits, not characters. As bits are held in bytes, eight bits long, encryption key lengths are usually in multiples of eight.

RSA started with a 1024-bit key. Unfortunately, this would take a lot of resources and a lot of time to crack. Hackers don’t bother to buy massive computers and take years to crack an encryption key. This is mainly because cybersecurity systems frequently change the keys they use, so by the time the hacker managed to crack a 1024-bit key through brute force, it would no longer be used.

Although hackers don’t have the resources to crack encryption, governments do. The Chinese government is particularly keen to crack RSA encryption because it is regularly used in VPNs to protect internet traffic. It is believed that Chinese government technicians have managed to crack RSA with a 1024-bit key, so this key length is no longer considered to be secure.

The next highest length of the RSA key that is available is 2048 bits. Most ransomware uses RSA with a 2048-bit key. However, the most robust and most uncrackable version of RSA uses a 4096-bit key.

It is probable that now they can crack 1024-bit, Chinese government technicians are busy working out a way to crack the next step up, which is the 2048-bit key. To buy some time, the most security-conscious organizations in the world have ramped up their protection by moving up to a 4096-bit key for their RSA encryption. Unfortunately, a small number of ransomware producers have implemented the same strategy.

RSA-4096 ransomware

Although a longer key is more secure, it requires more processing, and encryption with long keys can take a long time to complete. Hackers don’t want the encryption process to be slow. If a target company has file protection systems in place, the security software will spot the ransomware attack with the first encryption.

Not only is RSA-4096 slow, but the entire RSA system is time-consuming and isn’t recommended for encrypting large amounts of data. Instead, there are better and faster ciphers that can be used to encrypt files.

The most acclaimed cipher in operation in the world today is the Advanced Encryption Standard (AES). This is a symmetric cipher, which means that the same key is used to encrypt and decrypt data. Symmetric systems require much shorter keys, and the highest key length in operation with AES is 256 bits.

Hackers use AES-256 to encrypt files, store the encryption keys in a file on the target computer, and encrypt that file with RSA-4096 encryption. Another symmetric key cipher that hackers widely use is Salsa20. So, if you have been attacked by RSA-based ransomware, your files have been encrypted with either AES-256 or Salsa20.

How does RSA-4096 ransomware operate?

Ransomware hackers like to use the RSA cipher because it doesn’t matter if security analysts discover the encryption key. In some ransomware, the RSA key is hardcoded into the program. In other cases, such as the more sophisticated attack software that use RSA-4096, the encryption key is bundled in with the attack package in a separate file. This enables the hackers to use a different RSA key for each attack easily.

In most cases, the ransomware generates a separate AES key for each file that it encrypts. It then writes the original file name and the encryption key into a database file. Usually, the encryption program will change the name of the encrypted file. Once all files have been converted, the ransomware encrypts the database file with RSA-4096. The key is sometimes also displayed in the ransom note.

When victims contact the hackers to negotiate ransom payments, they have to give the key as an identifier. If the hackers intend to restore the systems of victims who pay, they send back a decryptor, which already has the relevant decryption key embedded in it. This decryptor first decrypts the database file and then works through each line of that file, decrypting the referenced file with the stored AES key.

In some cases, the ransomware will generate a separate attack ID. The program needs to send the ID and the RSA encryption key to the command and control server in those instances. In sporadic cases, the RSA key is generated locally, and the decryption key is sent with the attack ID and then deleted from the local computer.

What ransomware uses RSA-4096?

Although most ransomware uses RSA for its outer layer of encryption, the cipher is usually deployed with a 2046-bit key. Only a handful of currently known ransomware uses RSA with a 4096-bit key, and all of these encrypt files with AES-256. These are:

Earlier versions of TeslaCrypt did not use the RSA cipher to protect the encryption key index file. It used a symmetric cipher instead, which security consultants were able to crack. The hackers switched this protection to RSA with version 3 of the ransomware.

How to protect against RSA-4096 ransomware

Unfortunately, there is no way to crack the RSA-4096 encryption that protects the encryption key database in these ransomware attacks. However, the hacker groups that operate ransomware based on RSA-4096 send back a decryptor to ransom payers that allow the system to be fully restored.

The best policy is to prevent all forms of ransomware from getting onto your system. There are two ways that the ransomware with RSA-4096 gets onto a target. One is through an infected email attachment or a fake torrent download, and the other is through a connection using RDP.

Ensure that your RDP ports are closed or that they require a secure password for access. Educate your users against downloading attachments from emails.

Your defense strategy also needs to include automated anti-ransomware security software.

The best tools to defend against RSA-4096 ransomware

File integrity monitoring is handy for blocking a ransomware attack. It is also essential to back up all of your files frequently and ensure that no viruses pass to the backup server.

The best protection system to prevent ransomware needs to combine prevention services, detection systems, and emergency response mechanisms. Here are two packages that you should consider.

1. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is a coordinated endpoint detection and response system that operates cloud-based oversight of device-resident next-gen AV software. That endpoint package is available individually as Falcon Prevent. So, Falcon Insight is Falcon Prevent with a SaaS console to manage each AV instance.

Key Features:

  • Hybrid system
  • Centralizes threat detection
  • Local protection
  • Zero-day detection
  • Can cover multiple sites

Why do we recommend it?

CrowdStrike Falcon Insight operates a threat intelligence feed on multiple levels. This is a hybrid solution with an on-device element and a central data processor for threat detection. Some ransomware begins its activity by disconnecting the device from the network to block detection. However, CrowdStrike protection continues under these conditions.

The Insight cloud controller monitors activity reports sent up by endpoint agents and searches through for indicators of compromise, much like a SIEM. First, the cloud service gets a threat intelligence feed that adjusts the searches for indicators. Then, the endpoint agents perform their checks, which means that protection continues even if the device gets disconnected from the network.

The Insight package includes instant response measures, isolating the device to prevent viruses, such as ransomware spreading. It can also shut down, compromises user accounts, and kill suspicious processes.

Who is it recommended for?

CrowdStrike Falcon Insight is easily expandable. Whenever you want to add an endpoint to the protection system, you just install a copy of Falcon Prevent on it. This acts as the endpoint agent and includes the new device in the Insight network. However, the system is pricey and beyond the budgets of small businesses.

Pros:

  • Device protection continues even when the endpoint is disconnected from the network
  • Device agent available for Windows, Linux, and macOS
  • Can include endpoints on multiple sites and also the devices of work-from-home employees
  • Centralizes threat hunting with a constantly updated threat intelligence
  • Provides a common threat intelligence pool for all endpoints

Cons:

  • The free trial only covers the endpoint element

The Falcon system searches for activity anomalies rather than for a list of files or process names. This enables it to block zero-day attacks. You can get a 15-day free trial of Falcon Prevent.

2. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is a crucial choice if your system holds sensitive data. This is because a theft or damage to sensitive data can cause your company a lot of money in fines and litigation.

Key Features:

  • Sensitive data discovery
  • Data protection
  • File integrity monitoring
  • User activity tracking

Why do we recommend it?

ManageEngine DataSecurity Plus offers a range of defense techniques to block ransomware. The tool will spot the initial activity of ransomware, which involves alerting file permissions and file renaming. The tool will then kill the suspicious process, raise an alert, and report on events.

The DataSecurity Plus system includes a file integrity monitor (FIM). This detects unauthorized changes to files and catches the encryption activity of ransomware early.

The quick responses included in DataSecurity Plus include killing processes, suspending user accounts, blocking communication with specific IP addresses, and isolating the device from the network. In addition, DataSecurity Plus protects devices running Windows, which are the usual targets of RSA-4096 ransomware.

Who is it recommended for?

This tool has many purposes; its primary function is as a data loss prevention system. So, it is particularly useful for businesses that hold and process sensitive data. The package is actually a bundle of four units, which can be bought individually. You need the File Server Auditing unit for ransomware protection.

Pros:

  • Ransomware early warning by spotting file changes
  • Quick reaction to malware signs to shut down malicious activity
  • Provides an audit trail
  • Isolates infected devices to stop the threat from spreading

Cons:

  • Only available for Windows Server

ManageEngine DataSecurity Plus installs on Windows Server, and it is available for a 30-day free trial.