- Mira ransomware uses Rijndael algorithm to encrypt files on victims’ systems.
- After encryption, it appends a ‘header’ structure to the end of the file.
Security researchers have explored a decryption key for ransomware named Mira. Mira, also known as ‘Trojan:W32/Ransomware.AN’, uses Rijndael algorithm to encrypt files on victims’ systems.
It should be noted that the Rijndael algorithm also forms the basis for the Advanced Encryption Standard (AES) which is widely used across the world to secure sensitive information.
How does it work - According to Khasaia, a security researcher from F-Secure, the Mira ransomware first ‘initializes a new instance of the Rfc2898DeriveBytes class to generate a key’. This class is created by using a password, salt and iteration count.
The password usually includes the following information:
- Machine name
- OS version
- Number of processors
On the other hand, the salt is generated by a Random Number Generator (RNG).
Once the key is generated, the malware encrypts the victims’ files using Rijndael algorithm. After encryption, it appends a ‘header’ structure to the end of the file. This header contains the salt and the hash password.
How was the decryption key generated - The researchers managed to create a decryption key by retrieving the password, salt and the iteration count of the ransomware.
Citing the feasibility of retrieving the decryption key, Khasaia told, “Most often, decryption can be very challenging because of missing keys that are needed for decryption. However, in the case of Mira ransomware, it appends all information required to decrypt an encrypted file into the encrypted file itself.”