Hmmm... a little ironic!
Just thinkin' out loud... Don't most ransomware attacks come from Russia and isn't Kaspersky Lab from Russia? Could there be a connection?
Kaspersky has announced it's decrypted yet another crypto-extortion racket. Writing here, the company's John Snow says Kaspersky bods can now untangle data after a CryptXXX attack. CryptXXX was described in mid-April by Proofpoint, which said it came from the authors of Reveton and was spreading thanks to its inclusion in the …
The connection is that Russia, as a direct result of being resource starved by US embargoes, went on to be FAR more intelligent and efficient in programming (if you want an example of resource wasteful code for comparison, try US developed Windows) so you need people from the same region just to get into the tight code.
Kaspersky is a remarkably clean company for one that has grown in Russia, so no, I don't think they're in cahoots with criminals.
The article at Kaspersky actually says "Fortunately, CryptXXX turned out to be not that difficult to crack".
However it seems to depend on you being able to give it a copy of one of the encrypted files before it was encrypted and the bigger the file the better. "The bigger file you’ve feed to the utility — the more files would be decrypted." So it sounds like they must have used a small key that could be brute forced.
Educated guess: The actual file encryption is done with some stream cipher, with the same key for all files. (That key would in turn be encrypted with RSA using the public key and sent to the attacker, which presumably holds the private key - the specific details won't matter here as the attack isn't against the asymmetric part)
So if you simply XOR the plaintext file with the encrypted version, you get the keystream. XOR that with any encrypted file up to that size and you get the plaintext.
Biting the hand that feeds IT © 1998–2021