Encryption has been around for a very long time. Early forms included Caesar’s Box, a simple cipher used by Julius Caesar to securely communicate with his generals while in the field.
Since then, cryptography has improved dramatically. With a greater understanding of mathematics and the principles of information security, cryptographers have been able to design ciphers that are both functional and secure.
The modern ciphers that we use every day are designed to be impossible to break with current technology. Without knowledge of the secret key, it’s impossible to read the encrypted data. This is very useful for legitimate purposes, like protecting sensitive data as it is stored and moves across the Internet. However, not all uses of cryptography are benign.
In this blog, we'll explore cryptography in the context of cybersecurity, how it helps prevent modern cybercriminals from accessing sensitive data, and how those same cybercriminals can use it to their advantage.
The main purpose of cryptography is to keep secrets, and malware authors have a many secrets to keep. Malware is designed for a variety of purposes, but all of these purposes are not in the best interests of the malware’s target. As a result, people actively try to search for and destroy any malware on their systems.
In order to protect their operations, malware authors often incorporate encryption into several stages of the malware infection lifecycle.
Common uses of malware encryption include:
Obviously, most people don’t want malware on their computers. As a result, individuals and organizations deploy antivirus, firewalls, and other cyber defense solutions to minimize their risk of infection. Malware is delivered in a variety of different ways, everything from phishing emails to infected USB drives to network worms that spread themselves by exploiting vulnerabilities in network-facing services. While these cybersecurity solutions aren’t 100% effective at stopping all manner of malware delivery, they work fairly well against many known threats. This creates a high bar for malware authors, who not only need to get their malware into a target network but also need execute their attack on the target systems once in place.
Encryption plays a key role in the success of many malware variants during initial delivery and execution. Most antivirus programs rely on signature matching, which identifies specific code patterns or strings within a malware sample. By encrypting the majority of the code and leaving a minimal portion unencrypted (just enough to decrypt and execute the rest), malware authors can reduce their chances of detection.
This behavior is crucial when malware attempts to evade detection by Intrusion Detection Systems (IDS) and similar cybersecurity tools. Security teams regularly monitor alerts from these systems, along with system logs, as part of their detection strategies. By encrypting the malware during transmission to the target device, malware operators decrease the probability that useful data will be captured in these alerts or log files.
Most malware is not designed to operate completely independent of its owner. Once malware manages to establish itself on a target machine, it often opens up a communications channel to servers under the attacker’s control. This allows the malware to receive additional commands from the operator and send data back to the cybercriminal. As a result, the operator can tailor their tactics to the compromised machine and the data stored on it.
Command and control (C2) communications are the most common place for malware to use encryption. Many organizations deploy network-based cybersecurity defenses that examine all traffic going to and from computers within the network. If these defenses can recognize the malware’s C2 communications, they can block them and take action to remove the malware.
Malware C2 can either leverage the encryption already available on the Internet or include their own.
Many legitimate communications use Transport Level Security (TLS) to protect their communications (the protocol that secures HTTPS). One TLS session looks a lot like the other, so using TLS and a common port (like 443) allows malware C2 to blend into the crowd.
Malware can also use a custom encryption solution to protect its communications. Most standardized encryption algorithms (like AES and RSA) are published with code samples freely available. A well-designed and implemented encryption solution can make malware C2 communications impossible to crack, but a mistake here can make the malware’s use of encryption completely worthless.
Once malware is successfully installed on its target and has established a C2 connection with its operator, it’s begins working towards its objectives. Malware authors typically have a reason for trying to breach a computer, and the details of this depends on the target, malware family, objective, etc.
Encryption may even be a core component of the malware’s primary objection. For example, ransomware or cryptolocker types of malware, like Wannacry and Locky, deny users access to their files by encrypting them and demanding a ransom.
Encryption is also commonly used to secure C2 communications, what are critical to a malware author's operation. If an organization detects the exfiltration of their data or can read the C2 instructions from the cybercriminal, it’s easier for them to detect and eradicate the infection. As a result, cybercriminals will commonly encrypt this data and make efforts to conceal it, whether blending in by using common, encrypted protocols for C2 or developing a covert C2 channel designed to slip under the defender’s radar.
The biggest advantage of encryption technology is also its biggest drawback. It really works.
If properly designed and implemented, an encryption system can make it impossible for an unauthorized party to view the protected data. This is a huge asset when dealing with sensitive data but a significant security threat.
The problem with malware’s use of encryption is that, done correctly, it’s impossible to decrypt the data and understand what the malware is doing. This is what makes it so vital to ensure that malware doesn’t manage to install itself on your systems in the first place, and if it does, to detect and eradicate it as soon as possible.
Malware can be installed on a system in a variety of different ways, so it is important to have a comprehensive and strong cyber defense program. This should include the use of penetration testing and vulnerability scanning to help identify and close potential infection vectors, continuous monitoring to ensure that intrusions are detected as soon as possible, and cyberawareness training to ensure that employees know how to identify and respond to potential attacks.
Malware takes advantage of encryption technology in a variety of different ways. It can be used throughout the malware infection lifecycle to protect the privacy of any data that the malware author does not wish to be shared with the network defenders. Since modern encryption technology is designed to be secure, this can be a significant problem for cyber defenders because this protected data can be vital to understanding and eradicating the infection. Malware’s use of encryption makes it even more important to take action to detect and protect against malware before it enters and installs itself on the network.