Passware 2023 version Decrypts Veracrypt RAM Encryption
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
https://support.passware.com/hc/en-us/articles/10948031464599-What-s-new-in-Passware-Kit-2023-v1
Instant decryption of the latest VeraCrypt versions via memory analysis
Passware has updated its Windows memory analysis option such that it is now capable of extracting expanded encryption keys required for decrypting the latest versions of VeraCrypt.
Additionally, beginning with version 1.24, VeraCrypt introduces a mechanism to encrypt master keys and cached passwords in RAM. Passware Kit 2023 v1 now supports this feature and decrypts the keys, providing instant access to the VeraCrypt volumes.
Thank you for sharing this information.
This reminds me of the Elcomsoft story back in 2021 where they claimed to broke RAM encryption only to say in blog post that they actually cannot (cf https://sourceforge.net/p/veracrypt/discussion/general/thread/ddbe3c9353/). But we are already in 2023 and I guess we can trust them that they have finally implemented a reliable attack against RAM encryption.
I will resurect my ideas for RAM encryption enhancements. Sure, we could make small changes to how RAM encryption works to block their current method, but they could still update their tool to match these changes because our source code is open. A better approach would be to tie RAM encryption to something ephemeral that disappears and can't be found in memory dumps, like debug registers. This would take some serious work, though.
Let's remember that RAM encryption can't stop all attacks. If a program in an unlocked Windows session has admin rights, it can access the same information as VeraCrypt driver and it can get access all the data. So, RAM encryption can't fully protect against this. What it can do, however, is help protect against memory dumps done outside of a running Windows session or without admin rights.