This week’s episode of Mr. Robot continued from where it left off last week, focusing on the show’s characters rather than hacking methods. We see Elliot struggle with himself as he figures out that Mr. Robot is his dad (who died years ago), who he has been imagining in his mind. Meanwhile, Tyrell’s world is crumbling. His wife gave birth to a baby boy, but tells him she does not want to be with him unless he “fixes things”. He then gets fired from E Corp and remains as the prime suspect in Sharon’s murder investigation. It doesn’t look like Tyrell did a very good job of fixing things, if you ask me…

Despite the lack of hacking, I did have a few questions about the final scene of the episode. I spoke with my colleague, senior malware analyst Jaromir Horejsi, who helped me better understand FSociety’s plan.

In the last scene of the episode, Tyrell pays Elliot a visit. Tyrell tells Elliot about how he murdered Sharon and how surprisingly good that felt. Elliot then decides to tell Tyrell about his plan to take down E Corp. Elliot explains to him that by encrypting all of E Corp’s files, all of their financial records will be impossible to access as the encryption key will self-delete after the process completes.

Stefanie: Clearly, E Corp is in some pretty big trouble if this plan succeeds, but could something like this happen to the average user? How disastrous would it be if, for example, if my personal computer’s data were to be encrypted?

Jaromir: Ransomware is a common and nasty form of malware that encrypts data and demands a ransom, as the name suggests. We have seen many cases of ransomware on PCs and mobile devices. Encrypted data is impossible to decrypt unless you have the encryption key, which is pretty disastrous if you ask me.

Stefanie: What is an encryption key and what should I do if my data is encrypted by ransomware?

Jaromir: An encryption key is information that is needed for the functional output of a cryptographic algorithm or cipher. You can think of encryption as a vault or door that is locked and the encryption key is the key or combination to open the vault or door, and in the case of encryption, to decrypt data. If your device is infected with ransomware you can a) delete the ransomware by using an antivirus rescue disc, b) reboot into safe mode and remove it manually or c) reboot using another operating system stored on an external disc. Once this is done, you can restore your data, using your backed up files. This is why it is important to always back up your data! More importantly, you should have antivirus software installed on all of your devices — PC and mobile — to prevent ransomware from infecting your device in the first place!

We highly discourage paying ransom, as this proves to cybercriminals that their methods are effective and encourages them to continue spreading ransomware.

Stefanie: What happens to the encryption key in ransomware? Does it also self-delete?

Jaromir: If cybercriminals do their job correctly, so to speak, the encryption key should be deleted by the ransomware, similar to what Elliot programed his encryption program to do. Ransomware typically generates a key and uses it to encrypt files. The ransomware then encrypts the encryption key with the attacker’s public key and sends the encrypted key to the attacker. Once this is done,and the files on the infected device are encrypted, the ransomware securely deletes the encryption key from the infected device, meaning that the attacker is the only one who has the encryption key that can decrypt the encrypted files on the infected device.  

Thank you, Jaromir, for taking the time to speak with me.

What did you guys think of the episode? Let us know in the comments below!