0
$\begingroup$

I have 2 different images, one original, and one locked by a malware detected by eset as "Win32/Filecoder.Q".

How to detect the encryption method that is used and the key, that is not using any public key/rsa/rc4 algorithm. There is diff:

original file locked file

If needed I can attached files (locked and original).

Improve this question
$\endgroup$
5
  • $\begingroup$ Why is there a short red line between yvc and .O° for the locked file? ​ ​ $\endgroup$ Commented Apr 24, 2016 at 6:24
  • $\begingroup$ @RickyDemer It's a delimited to show that file headers are not touched (i draw it) $\endgroup$ Commented Apr 24, 2016 at 6:25
  • $\begingroup$ Why do you say "not using" "RSA/RC4"? How do you know that? Also, even if it is using a symmetric algorithm, the key is probably not in the encrypted file, so looking at it does not help. $\endgroup$ Commented Apr 24, 2016 at 6:34
  • $\begingroup$ @otus because it's a scriptkiddy realisation. Having these files can't find key anyway? $\endgroup$ Commented Apr 24, 2016 at 6:40
  • 1
    $\begingroup$ @Daniel probably not. See related questions about CryptoLocker and CryptoWall. $\endgroup$ Commented Apr 24, 2016 at 6:54

1 Answer 1

Reset to default
1
$\begingroup$

Filecoder.Q ransomware used one of three encryption algorithms: XOR ,Tiny Encryption Algorithm(TEA) and AES,but this ransomware does not encrypt beginning of the files so in your picture beginning of original and locked file are equal.if this ransomware uses XOR Algorithm then you can decrypt locked file with XORing original file and locked file(key Extraction) else if it uses TEA Algorithm then decryption of file is hard(but possible),but decryption of file when it uses AES is impossible.

Improve this answer
$\endgroup$
6
  • $\begingroup$ Why do you say decryption is possible with TEA? It is secure, AFAIK. Do you mean some kind of attack exploiting its small block size? $\endgroup$ Commented Apr 25, 2016 at 4:53
  • $\begingroup$ I tried to find key, for XOR algorithm, but no success $\endgroup$ Commented Apr 25, 2016 at 6:18
  • $\begingroup$ @otus i speak about some cryptanalysis of TEA like this link:schneier.com/cryptography/archives/1997/11/… $\endgroup$ Commented Apr 25, 2016 at 9:33
  • $\begingroup$ @Daniel you should XOR bits of original file with equivalent bits of locked file and the result is key,or you can use ESET Filecoder.Q Cleaner $\endgroup$ Commented Apr 25, 2016 at 9:40
  • $\begingroup$ @0skar, those are related key attacks, which are pretty much not useful in practice. $\endgroup$ Commented Apr 25, 2016 at 13:20

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.