DaniWeb IT Discussion Community

Blogs (http://www.daniweb.com/blogs/)
-   Member Blogs (http://www.daniweb.com/blogs/blogs.php)
-   -   Michael_Knight's Blog (http://www.daniweb.com/blogs/blog270061.html)
-   -   -   Ransomware - What exactly is it? (http://www.daniweb.com/blogs/entry2086.html)

Michael_Knight Michael_Knight's Blog
Feb 15th, 2008, 6:55 pm
Although Ransomware is new, Most of you haven't heard of it. But soon you will.

Ransomware is a type of malware that uses a weak (breakable) cryptosystem to encrypt the data belonging to an individual, demanding a ransom for its restoration. A cryptovirus, cryptotrojan or cryptoworm on the other hand employs a military-grade hybrid cryptosystem to take data hostage (the field known as cryptovirology pre-dates the term "ransomware").

This type of ransom attack can be accomplished by (for example) attaching a specially crafted file/program to an e-mail message and sending this to the victim. If the victim opens/executes the attachment, the program encrypts a number of files on the victim's computer. A ransom note is then left behind for the victim. The victim will be unable to open the encrypted files without the correct decryption key. Once the ransom demanded in the ransom note is paid, the cracker will (supposedly) send the decryption key, enabling decryption of the "kidnapped" files. However, if the decryption key is in the file/program then it can be extracted and used without contacting the attacker. This is the case in any such malware that relies on symmetric cryptography alone.

There have been a few malware attacks in the past that have done this. The 1996 IEEE paper by Young and Yung reviews the malware that has done this, points out the fatal flaw which is the reliance on symmetric cryptography, and shows how to use public key cryptography to solve this problem (that the attacker faces).

A cryptovirus, cryptotrojan, or cryptoworm is defined as malware that contains and uses the public key of its author. In cryptoviral extortion, the public key is used to hybrid encrypt the data of the victim and only the private key (which is not in the malware) can be used to recover the data. This is one of a myriad of attacks in the field known as cryptovirology.

Since May 2005 malware extortion attacks (that encrypt or delete data) have been appearing in greater numbers. Examples include Gpcode (many variants: Gpcode.ac, Gpcode.ag, etc.), TROJ.RANSOM.A., Archiveus, Krotten, Cryzip, and MayArchive. It is said that Gpcode.ag utilizes a 660-bit RSA public modulus. Crackers appear to be either rediscovering cryptoviral extortion or, perhaps more likely, reading the cryptographic literature on the subject.

Motives

Ransomware happens when a cybercriminal uses malicious code to hijack user files, encrypt them and demand payment in exchange for the decryption key. Earlier this year, Eugene Kaspersky, head of anti-virus research at Russia's Kaspersky Labs, told a computer industry security conference that ransomware is a key trend in 2007. Security firm Secure Science Corp. estimates that some 152,000 victims have been infected with ransomware over the past eight months.

Fortunately, most businesses only know about ransomware through media reports, not direct experience. But ransomware crime is so brazen and potentially damaging that it's truly spine-chilling stuff for any company owner or manager with business-critical files.

Preventing Attacks

Since ransomware is a sophisticated form of malware, the best way to prevent an attack is to make sure that your business's network and computers are thoroughly protected by firewalls and with anti-virus and anti-spyware technology. Since ransomware usually arrives in the form of a Trojan horse, it's most often picked up through a browser by visiting a rogue Web site. To keep a ransomware Trojan from infiltrating your systems, you should make sure that all company computers are equipped with the latest browser version and that automatic updates are engaged.

Employees should also be educated about the ransomware threat and reminded not to install their own software on company computers or to connect unauthorized devices into the company's network. Some ransomware outbreaks have been linked to user visits to game, gambling and social-networking Web sites. It's important to remind employees to avoid these Web areas that they play a major role in safeguarding the business' s data assets.

As a final line of defence, it's a good idea to keep secure backups of critical user files on media that isn't located on Internet-exposed platforms. These files should be updated as often as possible: daily, hourly or even more frequently, if necessary.

Reacting to an Attack

If, despite your best efforts, your business still falls victim to a ransomware attack, you should react quickly yet calmly to the situation. It's important to remember that ransomware hackers who merely threaten to encrypt your files are probably doing nothing more than blowing hot air. Such individuals usually have no way of hijacking your files and are simply trying to extort some money from your business.

You're in deeper trouble, however, if a ransomware Trojan horse has actually encrypted your files. Paying ransom is never an acceptable reaction, since you have no assurance that the hacker will actually deliver the decryption key (it's really in his best interest to leave as few physical traces of his contact with you as possible). If you followed good business practice, you will have a recent backup of the affected files readily available. If not, depending on the Trojan horse used, a security specialist— such as your anti-virus software provider — may be able to help you recover some or all of the maliciously encrypted data. But the task will be time-consuming and the ultimate financial cost may be quite steep.