- Ransomware (malware)
-
For other uses, see Ransomware (disambiguation).
Ransomware is computer malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration.
Operation
Ransomware typically propagates as a conventional computer worm, entering a system through, for example, a vulnerability in a network service or an e-mail attachment. It may then:
- Disable an essential system service or lock the display at system startup.[1][2]
- Encrypt some of the user's personal files.[3] Encrypting ransomware were originally referred to as cryptoviruses, cryptotrojans or cryptoworms.[4][5]
In both cases, the malware may extort by:
- Prompting the user to enter a code obtainable only after wiring payment to the attacker or sending an SMS message and accruing a charge.[1][2]
- Urging the user to buy a decryption or removal tool.[6]
More sophisticated ransomware may hybrid-encrypt the victim's plaintext with a random symmetric key and a fixed public key. The malware author is the only party that knows the needed private decryption key. The author who carries out this cryptoviral extortion attack offers to recover the symmetric key for a fee.[7]
History
The first known ransomware was the 1989 PC Cyborg Trojan, which only encrypted filenames with a weak symmetric cipher. The notion of using public key cryptography for these attacks was introduced by Young and Yung in 1996 [3] who presented a proof-of-concept cryptovirus for the Macintosh SE/30 using RSA and TEA. Young and Yung referred to this attack as cryptoviral extortion, an overt attack that is part of a larger class of attacks in a field called cryptovirology. Cryptovirology encompasses both overt and covert attacks.
Examples of extortive ransomware reappeared in May 2005.[8] By mid-2006, worms such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes, with ever-increasing key-sizes.
Gpcode.AG, which was detected in June 2006, encrypted with a 660-bit RSA public key.[9] Gpcode.AK, detected in June 2008, uses a 1024-bit RSA key,[7][10][11] which is believed to be large enough to be computationally infeasible to break without a concerted distributed effort.[12]
News of new GpCode-like ransomware is surfacing and it is stronger than ever before with 1024-bit encryption. [13]
Ransomware is widely distributed in Russian Federation and other Russian-speaking countries since 2010. Several million computers in the former USSR were infected in the last two years with malware that blocked booting of the Windows operating system or disabled Internet access until the user paid a required sum of money through special SMS numbers or electronic money systems. Very often such malware---"intended for" Russian-speaking users---displays pornographic images and text about visiting porn sites (motivating prompt payment while discouraging calling the system administrator if the infected computer is located in an office).
In 2011, a trojan application appeared, proporting to represent a Microsoft utility that checks Windows licensing. It threatens legal action and data loss if a "license fee" is not paid.[14]
References
- ^ a b Lelli, Andrea (2009-04-16), SMS Ransomware Threat, Symantec, https://forums2.symantec.com/t5/Malicious-Code/SMS-Ransomware-Threat/ba-p/393500;jsessionid=3A2BEC4A6A5BD748AD9B41DD81F93745#A264, retrieved 2009-04-18
- ^ a b Danchev, Dancho (2009-04-22), New ransomware locks PCs, demands premium SMS for removal, ZDNet, http://blogs.zdnet.com/security/?p=3197, retrieved 2009-05-02
- ^ a b Young, Adam; Yung, Moti (1996), "Cryptovirology: Extortion-Based Security Threats and Countermeasures", 1996 IEEE Symposium on Security and Privacy: 129–141, doi:10.1109/SECPRI.1996.502676, http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=502676
- ^ Young, Adam (2005), Zhou, Jianying; Lopez, Javier, eds., "Building a Cryptovirus Using Microsoft's Cryptographic API", Information Security: 8th International Conference, ISC 2005 (Springer-Verlag): 389–401
- ^ Young, Adam (2006), "Cryptoviral Extortion Using Microsoft's Crypto API: Can Crypto APIs Help the Enemy?", International Journal of Information Security (Springer-Verlag) 5 (2): 67–76
- ^ Cheng, Jacqui (2007-07-18), New Trojans: give us $300, or the data gets it!, Ars Technica, http://arstechnica.com/security/news/2007/07/new-trojans-give-us-300-or-the-data-gets-it.ars, retrieved 2009-04-16
- ^ a b Naraine, Ryan (2008-06-06). "Blackmail ransomware returns with 1024-bit encryption key". ZDnet. http://blogs.zdnet.com/security/?p=1251. Retrieved 2009-05-03.
- ^ Schaibly, Susan (2005-09-26), Network World, http://www.networkworld.com/buzz/2005/092605-ransom.html?page=3, retrieved 2009-04-17
- ^ Leyden, John (2006-07-24), Ransomware getting harder to break, The Register, http://theregister.co.uk/2006/07/24/ransomware/, retrieved 2009-04-18
- ^ Krebs, Brian (2008-06-09), Ransomware Encrypts Victim Files With 1,024-Bit Key, Washington Post, http://voices.washingtonpost.com/securityfix/2008/06/ransomware_encrypts_victim_fil.html, retrieved 2009-04-16
- ^ Kaspersky Lab reports a new and dangerous blackmailing virus, Kaspersky Lab, 2008-06-05, http://www.kaspersky.com/news?id=207575650, retrieved 2008-06-11
- ^ Lemos, Robert (2008-06-13), Ransomware resisting crypto cracking efforts, SecurityFocus, http://www.securityfocus.com/news/11523, retrieved 2009-04-18
- ^ GpCode-like Ransomware Is Back, Kaspersky Lab ZAQ, http://www.securelist.com/en/blog/333/GpCode_like_Ransomware_Is_Back, retrieved 2010-11-29
- ^ http://www.theregister.co.uk/2011/09/07/ms_ruse_ransomware_trojan/
Software distribution Methods Related topics Malware Infectious malware Concealment Malware for profit Privacy-invasive software · Adware · Spyware · Botnet · Keystroke logging · Web threats · Fraudulent dialer · Malbot · Scareware · Rogue security software · RansomwareBy operating system Protection Countermeasures
Wikimedia Foundation. 2010.
