About two years ago, I received a call from a distressed Techworld reader, asking for help: a message on his PC screen was demanding a ransom of $200 through e-Gold to unlock all the spreadsheets he used in his small business. What should he do?
The message he received went as follows (edited):
“OUR E-GOLD ACCOUNT: XXXXXXX
INSTRUCTIONS HOW TO GET YUOR FILES BACK
READ CAREFULLY. IF YOU DO NOT UNDERSTAND, READ AGAIN.
This is automated report generated by auto archiving software.
Your computer catched our software while browsing illigal porn
pages, all your documents, text files, databases was archived
with long enought password.
If you really care about documents and information in encrypted files
you can pay using electonic currency $300.
Reporting to police about a case will not help you, they do not know
password. Reporting somewhere about our e-gold account will not help
you to restore files. This is your only way to get yours files back.”
Remember you are just $300 away from your files
Unable to work out which piece of malware had hit him and realising that I’d never come across its payload before – this was about two weeks before it was finally named by AV companies to be the infamous file scrambler Cryzip - I warned him against paying the demanded ransom to get the unlock key. Most likely, the criminals would take his money and leave him with no key, or their operation had already been shut down and contacting them was pointless anyway.
Even his backups were locked – it had obviously been sitting on his machine in stealth mode for weeks, preying on any files it found with certain file extensions such as .xls, .txt, .jpg, or .doc. Before I could have his PC picked up by a security vendor for forensics, the Cryzip story emerged and rendered the plan redundant.
For the record, the caller didn’t say whether he was running an anti-virus package, but it might not have spotted the incursion anyway if it wasn’t on the latest signature list. At best, a package would have spotted it as it attempted to make the jump from whatever infection vector was used (email, web-borne, etc) and asked for the user’s attention. In many cases, users won’t pay enough attention, and it will get past this defence. The infector used is believed to have been a Bagle variant.
So the Cryzip concept was out there. Some call it ‘cryptographic malware’, others call it ‘ransomeware’, both accurate terms that stress either the technical nature of what this type of malware does, or the brute effect on the ordinary user. The attack method is the sort of thing that could keep a single user or small business owner without a lot of technical knowledge awake at night. One day you turn on your PC or server to find that none of the data files are accessible, and nobody is there to help.
This reader’s infection incident pointed to three things.
1. Low-key malware that sets out to infect small numbers of PCs has a window of opportunity of a few days or weeks perhaps in which to wreak havoc before security companies detect, disassemble and signature it. In criminal terms, a few days or weeks is a long time in which to make money.
2. Viruses that use (or claim to use) encryption for the purposes of blackmail are the ultimate weapons of social engineering, and would surely appear in rising numbers.
3. Malware attacks affect real people in ways that are often ignored because a particular outbreak is considered small. Yet the pain can be considerable.
I’m assuming that when faced with scrambled data files, there are plenty of people who would be tempted to pay up rather than possibly never see their files again, however naïve that seems.
One of the first companies to identify Cryzip was Kaspersky, which last week returned to the crypto virus theme with news of another example of the species, Gpcode.ak, also known as Virus.Win32.Gpcode.AK. Gpcode isn’t new, in fact, but this 2008 variant turned out to be using encryption – RSA 1,024 bit no less - sophisticated enough to defeat attempts to reverse engineer the key.
That’s a sort of frightening cryptographic zero day attack, for which there is no patch. That the malware writers would eventually turn to better, possibly uncrackable, public-key encryption had long been predicted since the days of 2005 and 2006 when this type of malware first emerged, but the story has proved to be a slow-burning one. Researchers sat back and waited for something like Gpcode.ak to appear and nothing happened. Although that suddenly changed, should PC users be concerned?
"Along with anti-virus companies around the world, we're faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key." said Kaspersky’s Aleks Gostev in alarming terms in his blog on Gpcode.ak.