About two years ago, I received a call from a distressed Techworld reader, asking for help: a message on his PC screen was demanding a ransom of $200 through e-Gold to unlock all the spreadsheets he used in his small business. What should he do?

The message he received went as follows (edited):


This is automated report generated by auto archiving software.

Your computer catched our software while browsing illigal porn
pages, all your documents, text files, databases was archived
with long enought password.

If you really care about documents and information in encrypted files
you can pay using electonic currency $300.

Reporting to police about a case will not help you, they do not know
password. Reporting somewhere about our e-gold account will not help
you to restore files. This is your only way to get yours files back.”

Remember you are just $300 away from your files

Unable to work out which piece of malware had hit him and realising that I’d never come across its payload before – this was about two weeks before it was finally named by AV companies to be the infamous file scrambler Cryzip - I warned him against paying the demanded ransom to get the unlock key. Most likely, the criminals would take his money and leave him with no key, or their operation had already been shut down and contacting them was pointless anyway.

Even his backups were locked – it had obviously been sitting on his machine in stealth mode for weeks, preying on any files it found with certain file extensions such as .xls, .txt, .jpg, or .doc. Before I could have his PC picked up by a security vendor for forensics, the Cryzip story emerged and rendered the plan redundant.

For the record, the caller didn’t say whether he was running an anti-virus package, but it might not have spotted the incursion anyway if it wasn’t on the latest signature list. At best, a package would have spotted it as it attempted to make the jump from whatever infection vector was used (email, web-borne, etc) and asked for the user’s attention. In many cases, users won’t pay enough attention, and it will get past this defence. The infector used is believed to have been a Bagle variant.

So the Cryzip concept was out there. Some call it ‘cryptographic malware’, others call it ‘ransomeware’, both accurate terms that stress either the technical nature of what this type of malware does, or the brute effect on the ordinary user. The attack method is the sort of thing that could keep a single user or small business owner without a lot of technical knowledge awake at night. One day you turn on your PC or server to find that none of the data files are accessible, and nobody is there to help.

This reader’s infection incident pointed to three things.

1. Low-key malware that sets out to infect small numbers of PCs has a window of opportunity of a few days or weeks perhaps in which to wreak havoc before security companies detect, disassemble and signature it. In criminal terms, a few days or weeks is a long time in which to make money.
2. Viruses that use (or claim to use) encryption for the purposes of blackmail are the ultimate weapons of social engineering, and would surely appear in rising numbers.
3. Malware attacks affect real people in ways that are often ignored because a particular outbreak is considered small. Yet the pain can be considerable.

I’m assuming that when faced with scrambled data files, there are plenty of people who would be tempted to pay up rather than possibly never see their files again, however naïve that seems.

One of the first companies to identify Cryzip was Kaspersky, which last week returned to the crypto virus theme with news of another example of the species, Gpcode.ak, also known as Virus.Win32.Gpcode.AK. Gpcode isn’t new, in fact, but this 2008 variant turned out to be using encryption – RSA 1,024 bit no less - sophisticated enough to defeat attempts to reverse engineer the key.

That’s a sort of frightening cryptographic zero day attack, for which there is no patch. That the malware writers would eventually turn to better, possibly uncrackable, public-key encryption had long been predicted since the days of 2005 and 2006 when this type of malware first emerged, but the story has proved to be a slow-burning one. Researchers sat back and waited for something like Gpcode.ak to appear and nothing happened. Although that suddenly changed, should PC users be concerned?

"Along with anti-virus companies around the world, we're faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key." said Kaspersky’s Aleks Gostev in alarming terms in his blog on Gpcode.ak.

The company had previously encountered Gpcode variants that had run up to 660-bit encryption in 2006, but had managed to find the key for that, possibly using informants – the ransomware phenomenon is assumed to have come from Russia, so Kaspersky is in the right place to have its ear to the ground on this. If true – the company wouldn’t say how it decrypted that variant – it’s a worryingly hit and miss approach to tackling ransomware.

Given its power, and the difficulty of tacking it, the rarity of Gpcode-like attacks using strong encryption is probably explained simply by their difficulty. Just as they are difficult to decode, they are similarly difficult to program, a turn-off for malware writers who have easier targets.

“I would say this [their rarity] is because it requires a greater technical investment by the malware author. If we take this variant as an example [Gpcode.ak], it’s not trivial to implement such encryption techniques and it’s certainly a lot easier to go for the ‘low-hanging fruit’ of more straightforward phishing attacks for example,” comments Kaspersky’s David Emm.

The second drag on ransomware is the channel used to collect ransoms. In 2006, this was e-gold, but using a service that requires registration is risky and can be turned off if users complain, even if in the past e-gold itself had had its honesty challenged by the authorities.

Now the criminals have made it slightly easier, by asking for the purchase of a defined utility, which can be hosted (along with payment) on a spoofed, proxied or hijacked server, making tracing nearly impossible.

At the time of writing, anyone infected by Gpcode.ak is stuffed, unless they have backups. The best way to stop it remains security on the client itself, stopping the ransomware installing itself. Windows’ built-in system restore is useless because the encryptor executes on data files, and these will be unaffected by turning the machine back to an earlier restore point.

Fortunately, ransomware of this sophisticated ilk is still very rare and likely to remain so. What might become more common is that criminals will use ransom tactics – threatening to send porn images to everyone in an infected user’s address book for instance - to frighten people into complying with their requests.

This underlines that, however complex, ransomware is just another type of social engineering. If people refuse to be ‘engineered’ its power looks more fragile.