[silviot]

Interesting. So you're saying that the ransonware uses symmetric encryption, i.e. the same key is used to encrypt and decrypt.

I always assumed it used asymmetric encryption, and that the decryption key would never hit the victim's premises.

Definitely not computer gods.

[edp]

I think asymmetric encryption is not usable for large amount of data, the only thing it is good for is to encrypt a passphrase or a binary signature (like a hash). If you can catch the process of encryption while it is running, it is likely that the passphrase is in memory (or used as a command line argument).

[stiray]

That's why you create a lengthy random key (that you know it cant be brute forced) and encrypt everything using it and symmetric encryption.

Than you store that random key encrypted with asymmetric algorithm.

Same goes for things like disk encryption. You never use the users key for encrypting the data. You always encrypt using random large key that is not brute-forcable and encrypt that one with user password, so the process of changing the user password is just decrypting the random key and encrypting it back with new password. Or you would have to re-encrypt the whole disk on password change

[LeifCarrotson]

Shh, don't give them any ideas!

[bluGill]

If you have read anything at all about encryption written since 1997 (probably before, that is when I first started reading) you already knew that.

[LeifCarrotson]

If.

Most ransomware authors, I'd wager, have not been reading since before 1997.

[anonymousDan]

Advanced ransomware use a hybrid scheme that generates a new symmetric key for each file and then encrypts that with an asymmetric key.

[ninjaoxygen]

gpg supports using public / private keypairs to encrypt any amount of data you like. I use it for uni-directional backups from machines where trust is an issue.

Or is the reality of this that it's just encrypting a symmetric key with the asymmetric cipher, and then encrypting data using that key?

[upofadown]

Everything is encrypted with a symmetric key. It is just that sometimes there is an asymmetrically encrypted symmetric key packet included in the message so that GPG (or whatever) does not have to ask you for the symmetric key. This is all fairly generic, if you actually have the symmetric key you can use it directly even if a key packet exists. This means that you can give some entity a key to decrypt a particular message/file without revealing your asymmetric secret key associated with your identity.