Ransomware Encryption by Family

Ransomware families use different encryption methods. The great work done by @nyxbone shows ransomware families using everything from strong encryption like AES to weak obfuscation like XOR or base64. The Bucbi ransomware family uses the obscure GOST encryption! How are organizations expect to keep up with the ever changing threat landscape?

At Hipara, we believe in giving defenders the upper hand whenever possible. By using math commonly applied in physics, we can determine if a file is encrypted or not. When a suspicious process writes an encrypted file, we will alert your security team!

But the proof is in the pudding. Let's look at how Hipara stood up to a few ransomware families:

Family Name Encryption Method Result
LeChiffre Encrypts first 0x2000 and last 0x2000 bytes Hipara blocks!
odcodc XOR encryption/obfuscation Hipara blocks!
Xorist Encrypted files will still have the original non-encrypted header of 0x33 bytes length. Uses XOR or TEA. Hipara blocks!
Rokku Curve25519 + ChaCha Hipara blocks!
VaultCrypt Uses GPG Hipara blocks!

See the pattern here? Hipara blocks ransomware! Contact us to protect your company today! Email contact@hipara.org

Brett Cunningham

Read more posts by this author.

Subscribe to Hipara Blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!