Ransomware got its start in 1989. Back then, it was relatively ineffective. That’s changing, which is bad news for us.
One of my neighbors recently experienced ransomware first hand. Up until then, he had no idea it existed. Because of that, it seems important to revisit extortion malware, explain exactly what it is, and how to avoid it.
Ransomware made its debut with a trojan called PC Cyborg, the brainchild of Dr. Joseph Popp. The extortion begins with a vulnerable computer becoming infected. Once settled in, the malware hides all folders and encrypts file names on the C: drive. Next, a dialog box opens, proclaiming the victim needs to send PC Cyborg Corporation $189 US, because the license had expired.
Until ransom money is received and the malware’s activities are reversed, the victim has a non-working computer. Thankfully, the doctor’s trojan had a weakness. It encrypted the file names using symmetric cryptography. Once experts had a chance to analyze the malcode and encrypted tables, it became simple to reverse and determine who created the ransomware.
It seems the doctor felt he was doing something worthwhile (eventually declared mentally unfit). At his trial, he mentioned that the ransom money was to be used for AIDS research.
Public key and Cryptovirology
In 1996, two researchers Adam Young and Moti Yung fixed Dr. Popps oversight, explaining how in the paper: Cryptovirology: Extortion-Based Security Threats and Countermeasures (PDF). I believe it’s also where the term Cryptovirology was coined.
Young and Yung figured out how to use public-key cryptography in ransomware, making reverse-engineering virtually impossible. The crypto-virus encrypts the victim’s files using the malware writer’s public key. The extortion comes into play when the victim is asked to pay ransom in order to obtain the private key for decrypting the files.
How it works
Young and Yung call this type of ransomware crypto-viral extortion. Giving the following definition:
“Crypto-viral extortion, which uses public key cryptography, is a denial of resources attack. It is a three-round protocol that is carried out by an attacker against a victim. The attack is carried out via a crypto-virus that uses a hybrid cryptosystem to encrypt host data while deleting or overwriting the original data in the process.”
The three-round protocol is interesting. It consists of the following:
- Crypto-virus is installed: Using any number of techniques, usually drive-by dropper platforms; the crypto-virus gets installed on vulnerable computers. When the virus activates, it creates a symmetric key and initialization vector (IV). The crypto-virus proceeds to encrypt data files using the symmetric key and IV. After which, the crypto-virus concatenates the IV with the symmetric key. Finally, the concatenated string is encrypted using the malware author’s public key. With everything now in place, the crypto-virus pops open a window explaining the ransom demands to the victim.
- Victim’s response: If the victim decides to pay the ransom. There are several ways that can happen. We will look at those in a bit. The victim also has to send the encrypted concatenated string to the cybercriminal.
- Attacker’s response: The extortionist then decrypts the string using the private key, which discloses the symmetric key and IV. Finally, sending both back to the victim. Who will use them to decrypt the data files.
Covering their tracks
On their Web site, Young and Yung talk about the effort cybercriminals go through to protect themselves. They store the public and private keys on a smart card and do not personally know the bit representation of the private key:
“Ideally, the smart card will implement two-factor security: something the virus author knows (a PIN number) and something the virus writer has (the smart card that contains the private key). Also, the card will ideally be immune to differential power analysis, timing attacks, etc. to prevent the virus author from ever learning the bits of the private key.”
The Web site goes on to explain why the extortionists do this:
“In the U.S. the virus author cannot be forced to bear witness against himself or herself (Fifth Amendment) and so the PIN can remain confidential. The purpose of this setup phase is to limit the effectiveness of seizing and analyzing the smart card under subpoena or warrant (competent evidence).”
In the past, ransomware has not been the malware of choice. That’s because cybercriminals are concerned about the money trail sending ransom funds creates. I mentioned earlier that many approaches have been tried. Here are some of them:
- Trojan. Ransom-A declares that it will destroy one data file every 30 minutes unless $10.99 US is sent to a specified account via Western Union.
- Trojan.Archiveus is a bit more creative. The ransom note declares the decryption password will be sent. If the victim purchases something from a specified Web site, typically in Russia.
- Win32.Ransom uses a novel way to obtain ransom money. The crypto-virus blocks Internet access until the victim sends a premium SMS message. This approach is becoming the favored payment method.
To help understand the entire process, let’s look at what many consider cutting-edge ransomware. F-Secure just released information about Trojan:W32/DatCrypt. Here’s how it works.
The trojan makes its way onto the victim’s computer. After which, it gives the illusion data files such as Office documents, music, audio, and video are corrupt. As shown in the following slide (courtesy of F-Secure):
In reality, the files have been encrypted by the trojan. The next message opened by DatCrypt informs the victim to download specified file repair software. Notice how the window created by the malware appears to be a message from the Security Center (courtesy of F-Secure):
What is actually downloaded is Rogue:W32/DatDoc. Malware that gives the appearance of fixing the problem. But, only one file can be fixed with the free version (courtesy of F-Secure):
The attackers are trying to lull the victim into thinking the software actually works. They hope the victim will spend $89.95 US for the registered version. In reality, victims are paying ransom to get their own files back.
There is no magic formula to avoid crypto-viral extortion. It’s just malware looking for vulnerable computers to exploit. Keeping operating system and application software up-to-date, along with a decent anti-virus application will offer protection. Also, having current backups of all important data is a good idea, just in case.
Ransomware is making a resurgence. Hard-to-trace Internet payment methods are emboldening cybercriminals.
Two thoughts immediately come to mind. Once the extortionist has the money, why send back the decryption information? Also, what proof does the victim have that the whole process won’t start over again?