Rookie Mistake Shows Not All Hackers Are Geniuses

Placeholder while loading article actions

For more than two decades, ransomware attacks have been the bane of enterprise IT managers and their CEOs, and a source of much research for cybersecurity professionals. An underground market for hacking and encryption tools has helped these incursions proliferate, but fortunately a recent case shows what we can learn when attackers don’t know what they’re doing.

Unlike other cyber nuisances, such as viruses, which replicate and cause damage, or denial of service attacks, which bring networks to a standstill, ransomware is almost impossible to eliminate once it has been deployed with hit. This is because they use encryption to lock files, with a secret decryption key being the only way out.

Rather than trying to undo this encryption, most victims simply erase the files and restore their systems using backups. It can take days or weeks, assuming the target has good data practices, while costing millions of dollars. This may not be possible if secure backups do not exist. And that’s what ransomware attackers are betting on: system restore losses are so high that a target is willing to pay for a copy of the digital key, which can decrypt files and restore everything to the normal.

But what hackers aren’t betting on is savvy cybersecurity professionals who stumble upon rookie mistakes in malicious code that allow them to reverse encryption without paying the attacker a dime.

This is exactly what a group of the X-Force team of International Business Machines Corp. did. Taipei-based CyCraft Corp. also managed to find the flaws and offered free decryption tools.

In an article on the IBM Security Intelligence website and a recent presentation at the RSA Security Conference, researchers explained how they spotted an error in the code of the Thanos ransomware family. Prometheus, a variant of Thanos, is said to have had at least 30 casualties in industries such as manufacturing, logistics and finance.

Everything revolves around chance. This quality is one of the most important aspects of good encryption, because the encryption-decryption keys – they usually come in the form of a mathematically linked pair – rely on the fact that they are almost impossible to to guess. And because these numeric passwords are so long, a brute force attack – scrolling through every possible combination to find the one that works – is impossible.

Unfortunately, machines are terrible at randomness, it’s against their nature. (Computers are incredibly predictable: the same inputs passed through the same system will always return the same result.) So, to create randomly generated keys, computer scientists have developed pseudo-random number generators that mimic real chance. (5) When used correctly, these software tools can do a very good job of creating hard-to-crack passwords and encryption keys.

But Thanos’ writers didn’t use these tools properly. Instead, they hard-coded one part of the process and used the very predictable clock time of the victim computer for another.

The researchers found this first part (it was a sequence of numbers from one to eight) and only had to find how long the computer had been running before the malware was deployed. (4) Took a little more research and a few hits and misses, but they could possibly make some educated guesses. From there, it was just a matter of plugging the numbers together to see if they could create a cryptographic key that would match. And they did. As a result, the malware’s super secret key wasn’t as hard to guess as its developers thought.

Beyond simply depicting clever investigative work by the cyber-intelligence community, the case of Thanos’ faulty encryption speaks volumes about modern hacking. First, as researchers are well aware, much of this malware is recycled by a large community of potential attackers, many of whom don’t really understand the tools they use. Moreover, the people who hack computer systems and those who write the malicious tools – often separate groups – are not always experts in their field. Using a hard-coded initialization vector is a pretty basic mistake. This means the flaws are often repeated and give researchers the kind of fingerprints they need to track and defend against growing threats.

As ransomware attacks increase in size and scale, it can be at least a consolation to know that not all hackers are geniuses.

• They may be kids, but Lapsus$ hackers are giants: Tim Culpan

• Technology baffled my FDIC colleagues: Sultan Meghji

• Insurers must prepare for catastrophic cyber risk: Olson and Culpan

(1) The difference can be quite esoteric. A human wouldn’t be able to spot patterns in the way these numbers are created, but given enough time, a computer could.

(2) This is called an initialization vector. And it was paired with the seed, created using C#’s random with Environment.TickCount. A full recap is provided in the blog post.

This column does not necessarily reflect the opinion of the Editorial Board or of Bloomberg LP and its owners.

Tim Culpan is a Bloomberg Opinion columnist covering technology in Asia. Previously, he was a technology reporter for Bloomberg News.

More stories like this are available at

#Rookie #Mistake #Shows #Hackers #Geniuses

Post expires at 3:06am on Thursday June 30th, 2022

Back to Top
Close Create

Log In

Forgot password?

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

To use social login you have to agree with the storage and handling of your data by this website.

Add to Collection

No Collections

Here you'll find all collections you've created before.

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • Rating
  • Price
  • Stock
  • Add to cart
  • Description
Click outside to hide the compare bar