Background
On 2021–06–11, Avaddon ransomware platform has closed and sent up to 2,934 private keys to BleepingComputer. Fabian Wosar and Michael Gillespie shared a general decryption tool to public on top of the key batch which the media received earlier.
Who sent the keys and his/her intension is beyond my topic. Let’s take a look into these 2,934 private keys. We’ve seen other ransomware groups make mistakes at the master key generation stages. For example, DarkSide ransomware was using the same RSA key pair for different victims. My motivation is to examine if the same/similar things happened in this batch.
A pair of dupliated key
To examine all the private keys, I wrote a python script to parse raw RSA Private Key BLOB.
The asymmetric cryptographic RSA is relied on the fact that factorization is hard to solve in resonable time. Given a prime number pair <p, q>, all other variables — including the private exponent — can be computed. In other words, once the modulus (N) of the key is factorized or the <p, q> is known, the key provides no security. Thus, I label the key as “duplicated” or “the same” based on the prime pair.
Inside the class, I implemented hash and eq function based on the primes. It means if two keys shared the same <p, q>, it was the same for me.
Surprisingly, I found two private RSA keys have the same modulus N, prime P and prime Q, which means the two keys are the same. With the following code and the released key as the input, the duplicated keys can be identified.
Result:
The vairables size, e, p, q, Dp, Dq, qinv are all the same. However, the private exponent d is different. But are both of the key valid?
A simple method to verify is to caculate e*d = 1 mod(φ(n)) where φ(n) = (p-1)(q-1).
It turns out the second key (d=2021….) is invalid.
Discussion
Imaging a victim paid the ransom and received the decryptor which happened to be using the defect key. Would this error lead to a failure decryption? I think the asnwer is “NO”. The decryption of RSA is generally based on Dp, Dq and qinv in practical implementations Ref.
What we’ve known is that there are two decryption keys sharing the same primes, but one private exponent is not valid. This kind of defect is extremly weird to me especially when the RSA key was generated by cryptographic providers/libraries. It triggers my interest to know why and how this error has been made. However, it is hard to make a conclusion here without further information.
Update — 2021.06.12
