Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


'Ransomware' Threats Growing

The malware typically encrypts data or disables master boot records, then extorts money to undo damage and restore access.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions

A malicious type of attack dubbed "ransomware" is on the rise, with antivirus vendor Symantec seeing at least three new variants appearing in recent months. Such attacks often utilize viruses to not just steal a person's sensitive or financial information, but also to disable hard drives and demand money to restore them.

"Threats that use extortion can be some of the most aggressive and, in some cases, offensive viruses encountered," said Symantec security researcher Gavin O Gorman in a blog post.

Unfortunately, attackers continue to advance the ransomware state of the art. For example, GPCoder.G, which first appeared in November 2010, is a small -- only 11 kilobytes -- piece of malware which, if executed, searches a hard drive for files with specific extensions, relating to everything from videos and Microsoft Office files to images and music. It then encrypts the first half of all files found, using a symmetric RSA encryption algorithm and a random key. The random, private key is then encrypted using a public key. "Without the private key from this key pair, it is not possible to obtain the symmetric key in order to decrypt the files," said O Gorman.

To get the private key, the ransomware victim must forward the encrypted symmetric key to attackers, who decrypt and return it. Unfortunately, aside from restoring the encrypted files from a backup, "there is no way to bypass this technique," he said.

Some ransomware attacks, however, go light on innovative technology and heavy on psychology. For example, the Trojan application Ransomlock, discovered in December 2010, locks a user's desktop and lists a premium-rate mobile phone number the user must call to restore desktop access, at a cost of $400.

But in a twist, the attack also changes the frozen background image to a pornographic image. As a result, people "are less likely to seek technical help from another person to solve the problem, in an effort to avoid embarrassment," said O Gorman. The fix, however, is as simple as installing and running antivirus software.

Other ransomware is little more than smoke and mirrors -- more akin to fake AV than Stuxnet. For example, the Bootlock Trojan application, which first surfaced in November 2010, infects a PC and then claims to have encrypted the entire hard drive. It demands $100 to restore it. In reality, however, the virus has simply corrupted the master boot record, which can be restored using recovery tools.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
PUBLISHED: 2020-05-28
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
PUBLISHED: 2020-05-28
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.