{"id":8185,"date":"2024-07-10T09:07:23","date_gmt":"2024-07-10T09:07:23","guid":{"rendered":"\/cybersecurity-blog\/?p=8185"},"modified":"2024-07-10T09:07:23","modified_gmt":"2024-07-10T09:07:23","slug":"encryption-algorithms-in-malware","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/","title":{"rendered":"A Guide to Common Encryption Algorithms in Modern Malware"},"content":{"rendered":"\n<p>Malware authors rely on encryption to scramble the code and avoid detection by tools like <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search-guide\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/detection-with-suricata-ids\/\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata<\/a>, or any other solution that analyzes the static makeup of the file.&nbsp;<\/p>\n\n\n\n<p>Pretty much every real malware sample uses some form of <a href=\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/#whatisxor\" target=\"_blank\" rel=\"noreferrer noopener\">encryption<\/a>. Whether it&#8217;s encrypting the <a href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-the-network-stream\/\" target=\"_blank\" rel=\"noreferrer noopener\">network traffic<\/a> or obfuscating C2 strings \u2014 encryption is everywhere.&nbsp;<\/p>\n\n\n\n<p>Since this technique is so widespread in malware, we&#8217;ve decided to put together an overview of the most commonly used encryption methods and collect them in one place.&nbsp;<\/p>\n\n\n\n<p>That\u2019s what this article is about. We&#8217;ll look at:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Common types of cyphers, block vs. stream, and how they differ in terms of analysis.\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Which encryption algorithms you&#8217;re most likely to encounter in modern malware.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How most common encryption algorithms in malware work.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let\u2019s get started!&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stream cyphers<\/h2>\n\n\n\n<p>Steam cyphers, as you probably guessed from the name, encrypt data in a continuous stream, one bit or byte at a time \u2014 like water flowing from a tap.&nbsp;&nbsp;<\/p>\n\n\n\n<p>It&#8217;s fast and efficient. You don&#8217;t have to wait for a whole block of data to start encrypting, as you do with block cyphers, but it results in weaker cypher.&nbsp;<\/p>\n\n\n\n<p>One of the most common operations used in stream cyphers is the XOR (exclusive OR) operation. XOR is a simple binary operation that takes two bits and returns a 1 if exactly one of the bits is 1, and a 0 otherwise.\u00a0\u00a0<\/p>\n\n\n\n<p>In other words, it returns a 1 if the bits are different, and a 0 if they are the same (See a truth table for XOR below):\u00a0<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-111\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"111\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        A | B | A XOR B <br>\n\n  \n\n--|--|-------- \n<br>\n  \n\n0 | 0 | 0 \n<br>\n  \n\n0 | 1 | 1 \n<br>\n  \n\n1 | 0 | 1 \n<br>\n  \n\n1 | 1 | 0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-111'>\ntable#wpdtSimpleTable-111{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-111 td, table.wpdtSimpleTable111 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The beauty of XOR is that it&#8217;s reversible.&nbsp;<\/p>\n\n\n\n<p>If you XOR a plaintext bit with a key bit, you get the cyphertext bit. And if you XOR that cyphertext bit with the same key bit again, you get the original plaintext bit back.\u00a0\u00a0<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nAnalyze malware in <span class=\"highlight\">ANY.RUN Sandbox<\/span> with no limits&nbsp;\n<\/p> \n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=encryption_algos&#038;utm_term=100724&#038;utm_content=linktoregistration\/#register\" rel=\"noopener\" target=\"_blank\">\nCreate free account\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\"><strong>XOR Cypher<\/strong>\u00a0<\/h2>\n\n\n\n<p>The XOR cypher is perhaps the most widely used stream cypher in modern malware due to its simplicity. It relies solely on the XOR operation.\u00a0\u00a0\u00a0<\/p>\n\n\n\n<p>Here&#8217;s how the cypher works: it takes the plaintext and XORs each bit or byte with a corresponding bit or byte from the key.\u00a0<\/p>\n\n\n\n<p>We won\u2019t dive very deep into XOR here because we\u2019ve already covered it in great detail in our <a href=\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/#whatisxor\" target=\"_blank\" rel=\"noreferrer noopener\">article about encryption fundamentals<\/a> \u2014 head over there for a deep dive into this encryption method.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Block cyphers&nbsp;<\/h2>\n\n\n\n<p>Block cyphers encrypt data in blocks of fixed size.\u00a0\u00a0<\/p>\n\n\n\n<p>This means that they essentially take a chunk of plaintext, usually 64, 128, 192, or 256 bits at a time, and convert it into a block of cyphertext of the same size.\u00a0\u00a0<\/p>\n\n\n\n<p>\u261d\ufe0f In practice it means that during decryption the key must match the block size exactly, or you\u2019ll end up with an error.&nbsp;<\/p>\n\n\n\n<p>In the example below, we&#8217;re decrypting AES in <a href=\"https:\/\/gchq.github.io\/CyberChef\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef<\/a>. AES is a block cypher, and we&#8217;ve intentionally mismatched content and key length:\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"413\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-2-1024x413.png\" alt=\"\" class=\"wp-image-8186\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-2-1024x413.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-2-300x121.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-2-768x309.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-2-1536x619.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-2-370x149.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-2-270x109.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-2-740x298.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-2.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The decryption fails!\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>As you can see, block cyphers add a bit of complexity to the decryption process.&nbsp;&nbsp;<\/p>\n\n\n\n<p>But there are two more pieces you&#8217;ll need to solve the block cypher puzzle. These are <strong>modes <\/strong>and <strong>initialization vectors (IV)<\/strong>.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Modes&nbsp;<\/h2>\n\n\n\n<p><strong>Block cyphers can operate in different modes<\/strong>.\u00a0\u00a0<\/p>\n\n\n\n<p>Modes determine how the plaintext blocks are processed and how they are combined \u2014 in essence, they are extra randomizers.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"794\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-1-1024x794.png\" alt=\"\" class=\"wp-image-8187\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-1-1024x794.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-1-300x233.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-1-768x596.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-1-1536x1191.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-1-370x287.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-1-270x209.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-1-385x300.png 385w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-1-740x574.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Block cyphers work in different modes<\/figcaption><\/figure><\/div>\n\n\n<p>When you open a block cypher in your decryption software it will ask you to select the right mode (look for abbreviations like CBC, ECB, or CTR).&nbsp;&nbsp;<\/p>\n\n\n\n<p>Unless you pick the one that the malware author selected for encryption, the decryption will fail.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Initialization vector (IV)&nbsp;<\/h2>\n\n\n\n<p><strong>An initialization vector (IV) is a random value that is used to initialize the encryption<\/strong>. Its job is to ensure that even if the same plaintext is encrypted multiple times with the same key, the result is different each time.&nbsp;&nbsp;<\/p>\n\n\n\n<p>All of this means that if you&#8217;re reversing a malware sample that uses block encryption, you need to extract 3 things before you can decrypt its strings or communications:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li>The key.&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>The mode.&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>The IV.&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Of course, you&#8217;ll also need to know the encryption algorithm. Here are 3 that are most commonly used in malware when it comes to block cyphers.&nbsp;<\/p>\n\n\n\n<p>What are the most common block cyphers?&nbsp;<\/p>\n\n\n\n<p>Some of the most common block cyphers you&#8217;ll encounter in malware include:\u00a0<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/\" target=\"_blank\" rel=\"noreferrer noopener\">AES (Advanced Encryption Standard)<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DES (Data Encryption Standard)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RSA (Rivest-Shamir-Adleman)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>We&#8217;ll dive into each of these block cyphers in more detail below.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>AES<\/strong>&nbsp;<\/h2>\n\n\n\n<p>AES (Advanced Encryption Standard) is a symmetric block cypher that has become the de facto standard for encrypting sensitive data. It was established by the U.S. National Institute of Standards and Technology (NIST) in 2001.\u00a0<\/p>\n\n\n\n<p>AES operates on fixed-size blocks of 128 bits and supports three different key sizes: 128, 192, or 256 bits.&nbsp;&nbsp;<\/p>\n\n\n\n<p>It works like this:&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>SubBytes<\/strong>. First, each byte in the block is replaced with another byte according to a substitution table (S-box).\u00a0\u00a0<\/p>\n\n\n\n<p><strong>ShiftRows.<\/strong> Think of the block as a cube filled with bytes &#8211; it has rows and columns. The bytes in each row of the block are shifted to the left by a certain number of positions.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>&nbsp;MixColumns<\/strong>. Then a linear transformation is applied to each column of the block, combining the bytes in each column.&nbsp;<\/p>\n\n\n\n<p><strong>AddRoundKey<\/strong>. A modified key, called the round key (derived from the main key), is XORed with the block.&nbsp;<\/p>\n\n\n\n<p>This is repeated several times until the initial text is completely scrambled. The number of iterations (called rounds) is determined by the size of the key:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>128-bit keys: 10 rounds&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>192-bit keys: 12 rounds&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>256-bit keys: 14 rounds&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>DES<\/strong>&nbsp;<\/h2>\n\n\n\n<p>The Data Encryption Standard (DES) is a symmetric-key block cypher that was once the primary encryption standard used in the United States. Though it has largely been replaced by AES, DES can still be found in some older or less sophisticated malware samples.\u00a0<\/p>\n\n\n\n<p>DES uses a 56-bit key and operates on 64-bit blocks of data. It goes through 16 rounds of transposition and substitution to encrypt the plaintext. The relatively small key size of DES is now considered insecure, as modern computers can break the encryption in a short period of time.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>RSA<\/strong>&nbsp;<\/h2>\n\n\n\n<p>RSA (Rivest-Shamir-Adleman) is an asymmetric encryption algorithm &#8211; this is the first time we&#8217;ve encountered this term in this article, so let&#8217;s go down a little rabbit hole.\u00a0\u00a0<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-112\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"112\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <div data-type-content=\"wpdt-html-content\"><p dir=\"ltr\" style=\"line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;\"><strong><span style=\"font-size: 11pt; font-family: Arial, sans-serif; color: #000000; background-color: transparent; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;\">Asymetric algorihm?<\/span><\/strong><strong id=\"docs-internal-guid-d897a395-7fff-e9ad-e41e-607f53d64fd3\" style=\"font-weight: normal;\"><\/strong><\/p>\n<p dir=\"ltr\" style=\"line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;\">&nbsp;<\/p>\n<p dir=\"ltr\" style=\"line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;\"><span style=\"font-size: 11pt; font-family: Arial,sans-serif; color: #000000; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;\">All the ciphers we've discussed so far are what's called symmetric. This simply means that they use the same key for both encryption and decryption.<\/span><\/p>\n<p dir=\"ltr\" style=\"line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;\">&nbsp;<\/p>\n<p dir=\"ltr\" style=\"line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;\"><span style=\"font-size: 11pt; font-family: Arial,sans-serif; color: #000000; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;\">Asymetric ciphers, such as RSA, use a pair of two keys: a public key for encryption and a private key for decryption.<\/span><\/p>\n<p dir=\"ltr\" style=\"line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;\">&nbsp;<\/p>\n<p dir=\"ltr\" style=\"line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;\"><span style=\"font-size: 11pt; font-family: Arial,sans-serif; color: #000000; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;\">The official term for this is public key cryptography or asymmetric cryptography. The public key, as the name suggests, can be shared with anyone, but keeping the private key secret is what makes the cipher secure.<\/span><\/p>\n<p dir=\"ltr\" style=\"line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;\">&nbsp;<\/p>\n<p dir=\"ltr\" style=\"line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;\"><span style=\"font-size: 11pt; font-family: Arial,sans-serif; color: #000000; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;\">For malware analysis, this means that when you reverse-engineer samples that use RSA, you'll need to find two keys to fully understand their data structure: public and private.<\/span><\/p><\/div>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-112'>\ntable#wpdtSimpleTable-112{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-112 td, table.wpdtSimpleTable112 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>And, back to RSA. This cypher relies on the difficulty of factoring large prime numbers to provide security. This makes it very robust, but also slow.&nbsp;&nbsp;<\/p>\n\n\n\n<p>For this reason, malware authors use RSA to encrypt small chunks of high-value data, such as C2 addresses or keys. You&#8217;ll rarely see large chunks of network traffic encrypted with RSA because of its computational complexity.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=encryption_algos&amp;utm_term=100724&amp;utm_content=linktolanding\/\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.\u00a0\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Advantages of ANY.RUN&nbsp;&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.&nbsp;<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in under 40s.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Interact with samples in real time.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Save time and money on sandbox setup and maintenance&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Record and study all aspects of malware behavior.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collaborate with your team&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scale as you need.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Try the full power of ANY.RUN for free&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=encryption_algos&amp;utm_term=100724&amp;utm_content=linktodemo\/\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial \u2192<\/a>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Malware authors rely on encryption to scramble the code and avoid detection by tools like YARA, Suricata, or any other solution that analyzes the static makeup of the file.&nbsp; Pretty much every real malware sample uses some form of encryption. Whether it&#8217;s encrypting the network traffic or obfuscating C2 strings \u2014 encryption is everywhere.&nbsp; Since [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":8193,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,34],"class_list":["post-8185","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>A Guide to Common Encryption Algorithms in Modern Malware - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn about\u00a0the common types of encryption algorithms used in modern malware and how they differ in terms of analysis.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"A Guide to Common Encryption Algorithms in Modern Malware\",\"datePublished\":\"2024-07-10T09:07:23+00:00\",\"dateModified\":\"2024-07-10T09:07:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/\"},\"wordCount\":1351,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/\",\"name\":\"A Guide to Common Encryption Algorithms in Modern Malware - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-07-10T09:07:23+00:00\",\"dateModified\":\"2024-07-10T09:07:23+00:00\",\"description\":\"Learn about\u00a0the common types of encryption algorithms used in modern malware and how they differ in terms of analysis.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"A Guide to Common Encryption Algorithms in Modern Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A Guide to Common Encryption Algorithms in Modern Malware - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn about\u00a0the common types of encryption algorithms used in modern malware and how they differ in terms of analysis.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"A Guide to Common Encryption Algorithms in Modern Malware","datePublished":"2024-07-10T09:07:23+00:00","dateModified":"2024-07-10T09:07:23+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/"},"wordCount":1351,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/","url":"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/","name":"A Guide to Common Encryption Algorithms in Modern Malware - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-07-10T09:07:23+00:00","dateModified":"2024-07-10T09:07:23+00:00","description":"Learn about\u00a0the common types of encryption algorithms used in modern malware and how they differ in terms of analysis.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"A Guide to Common Encryption Algorithms in Modern Malware"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8185"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8185"}],"version-history":[{"count":3,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8185\/revisions"}],"predecessor-version":[{"id":8191,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8185\/revisions\/8191"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8193"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}