informa
/
Risk
News

'Ransomware' Threats Growing

The malware typically encrypts data or disables master boot records, then extorts money to undo damage and restore access.
How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions

A malicious type of attack dubbed "ransomware" is on the rise, with antivirus vendor Symantec seeing at least three new variants appearing in recent months. Such attacks often utilize viruses to not just steal a person's sensitive or financial information, but also to disable hard drives and demand money to restore them.

"Threats that use extortion can be some of the most aggressive and, in some cases, offensive viruses encountered," said Symantec security researcher Gavin O Gorman in a blog post.

Unfortunately, attackers continue to advance the ransomware state of the art. For example, GPCoder.G, which first appeared in November 2010, is a small -- only 11 kilobytes -- piece of malware which, if executed, searches a hard drive for files with specific extensions, relating to everything from videos and Microsoft Office files to images and music. It then encrypts the first half of all files found, using a symmetric RSA encryption algorithm and a random key. The random, private key is then encrypted using a public key. "Without the private key from this key pair, it is not possible to obtain the symmetric key in order to decrypt the files," said O Gorman.

To get the private key, the ransomware victim must forward the encrypted symmetric key to attackers, who decrypt and return it. Unfortunately, aside from restoring the encrypted files from a backup, "there is no way to bypass this technique," he said.

Some ransomware attacks, however, go light on innovative technology and heavy on psychology. For example, the Trojan application Ransomlock, discovered in December 2010, locks a user's desktop and lists a premium-rate mobile phone number the user must call to restore desktop access, at a cost of $400.

But in a twist, the attack also changes the frozen background image to a pornographic image. As a result, people "are less likely to seek technical help from another person to solve the problem, in an effort to avoid embarrassment," said O Gorman. The fix, however, is as simple as installing and running antivirus software.

Other ransomware is little more than smoke and mirrors -- more akin to fake AV than Stuxnet. For example, the Bootlock Trojan application, which first surfaced in November 2010, infects a PC and then claims to have encrypted the entire hard drive. It demands $100 to restore it. In reality, however, the virus has simply corrupted the master boot record, which can be restored using recovery tools.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5