Ransomware like CryptoLocker, which encrypts precious files and holds them that way until a ransom is paid, is becoming more and more common. However, not all threats are as difficult to beat as CryptoLocker.
A couple of French security researchers who work for Airbus, Fabien Perigaud and Cedric Pernet, have come across a new piece of ransomware dubbed BitCrypt. They analyzed the malware after it infected a computer belonging to one of their friends and encrypted all the pictures of his children.
Since he had no backups, the only solution was to pay the 0.4 Bitcoin ransom or try to decrypt the files. After analyzing the ransomware, Perigaud and Pernet found that the developer had made a big mistake.
He wanted to generate a 128-byte key (1024 bits), but instead generated a 128-digit number, which is the equivalent of only 426 bits. While RSA-1024 bit encryption is not easily breakable with standard computers, the 426-bit key was cracked in 43 hours on a regular quad-core PC.
The cado-nfs tool has been used to obtain the encryption key. The experts have also published a Python script that’s designed to restore the encrypted files. Additional technical details are available on the Cassidian Cybersecurity blog.