Lock sitting on a keyboard with dramatic lighting

How to decrypt data from ransomware


What is a decryption key? How is it used? And most importantly, what’s involved when it comes time to decrypt data from ransomware?  For the savvy CISO, understanding how decryption keys are used is vital. But it’s even more important to understand how they are used in ransomware. 

“A key is a string of characters with an encryption algorithm for altering data so that it appears random.” according to Cloudflare Learning, “Like a physical key, it locks (encrypts) data so that only someone with the right key can unlock (decrypt) it.”

What is a decryption key? 

A decryption key is used to unencrypt data that has been locked/scrambled via the process of encryption. Perhaps a trusted contact wants to send you information but keep it secure on its way through the world wide web. Encrypted data would need to be encrypted by use of a decryption key when it arrives to you. 

But you may have found out by now it can be used for nefarious purposes too.

If a 3rd party has breached your security protocols, they may choose to encrypt your data and hold it ransom, offering you a decryption key for a price. Once that price is paid, they will give you a key to decrypt data from ransomware they installed… hopefully. 

In both cases, a decryption key makes encrypted data usable. 

Symmetric VS Asymmetric Encryption 

If encryption is a coded message you sent your friend in middle school, your decryption key would be the solution to the code. Encryption comes in two forms. Symmetric and asymmetric. To better understand the process to decrypt data from ransomware, it’s helpful to understand the difference.

Symmetric encryption explained 

Symmetric encryption keys are used when multiple parties use the same private key to decrypt personal or direct correspondence. In this scenario, all the parties likely know each other, but symmetric encryption isn’t useful when securing public information on the internet. In this case, asymmetric encryption is required. 

Asymmetric encryption explained

Asymmetric encryption involves a public and private key. The most familiar form of asymmetric encryption is Secure Socket Layer, or SSL. The SSL encryption protocol is standard across the internet to keep communications secure. You’ve probably seen https vs http when browsing the web. When you see that “s” , it means this website uses SSL encryption. 

In asymmetric encryption, a public key is listed in a given website’s SSL certificate for anyone to see. But a private key is also needed, and this is never shared. Your computer needs to retrieve this key before you can utilize the website you’ve visited. 

Adversaries use Symmetric encryption during an attack, rather than Asymmetric encryption, due to the fact that it’s faster. Afterwards, an adversary may wrap the Symmetric encryption Asymmetrically.

Why are decryption keys needed for ransomware?

How does ransomware use decryption keys? If a hacker is successful in breaching your defenses, their next move depends on the value of your data. If your data is valuable on the open market, they may download and sell to the highest bidder or utilize it for other dark deeds. But if your data isn’t valuable on the open market, it still has value. 

Hackers know your data still has value to you

This means if they are able to encrypt your data, you may be willing to pay them to decrypt data from ransomware they installed. And to do this you will need them to share a decryption key. You can think of this as if a hacker gained access to your home why you were gone and changed the locks. Sure, it’s your house. But you need the keys from them. Being locked out is not just a huge inconvenience, it can bring your operations to a complete standstill. 

How to decrypt data from ransomware

How do I fight back against the threat actors and decrypt data from ransomware? Prevention is key, but if that ship has sailed you do have a few options. 

Option 1: Pay the ransom… wait really?

Obviously, you can pay the hackers to get your keys back. It’s true there’s no real guarantee they won’t ransom you again or leave additional hidden traces in your system, but consider at the end of the day this is a business. If threat actors don’t unlock your data and words gets around paying ransom fees does nothing, they lose a revenue stream. It’s within their best interest to send you your key.

What happens when you pay the ransom to decrypt your data? The threat actor will, ideally, provide you with a decryption tool to decrypt your data and make it useable and/or withdraw the threat of publishing your stolen data. But even if they do work with you, there’s a caveat. “On average, only 65% of the data is recovered and only 8% of organizations manage to recover all data, ” according to Gartner. They also may sell or disclose the data again at a later date if it has value.

Option 2: Hire an incident response company. 

You can also hire an incident response company. This option is pricey but if your data is valuable or the damage is significant, this may be the best option. A full team will work to get your data back, but this can take weeks to months. The cost of this can rival or exceed the ransom demand. Even in this case,there is no real guarantee that the actor is fully out of the system. Our team of tech scouts saw this in a casino breach case where the threat actors used a distraction – which the IR companies were focused on, and hid a backdoor in a different part of the environment.

Preventing Ransomware

Prevention is the logical choice. However, that is easier said than done. You can set up a layered defensive strategy using all the expensive tools in the world, just to have an end-user reply to a phishing email, give up credentials and allow access to your system. In this day and age, technology providers are struggling to match the rate of innovation that Hackers are performing. There will always be a new 0-day threat that exploits new holes in your defenses that you weren’t aware of. If they want it badly enough, it will happen. How you respond is truly the tale of the tape when it comes to surviving this battlefield of cyberwarfare. 

The future of decrypting data from ransomware is becoming more sophisticated. Several startups on the market we’ve been watching are making huge gains in this space.

Jacob Friedman of 3 Tree Tech

Jacob Friedman is a Technology Scout at 3 Tree Tech in Portland. He enjoys researching new disruptive tech across the full stack and introducing it to tech execs across the United States. Message him right here.

Related Posts

Most cybersecurity insurance policies are worthless in 2023.

Cybersecurity insurance policies have been seen by CISOs as a last-resort safety net,...

Someone holding phone running Microsoft Teams
Why Are Teams Invites Added To Zoom Meetings?

Why are Teams invites added to Zoom meetings? What, you thought it was...