Over the years the nature of computer viruses has seen a change in focus. When the earliest reported example, Creeper, first appeared back in 1971 its sole purpose was to gain access to a system and display the message ‘I’m the Creeper, catch me if you can!’. Now, with so much valuable information about us stored on our computers and web services, something far darker has emerged. Ransomware is a new class of virus / trojan horse that has begun to appear on PCs in the last few years, and it is something you should be very concerned about.
The principle of Ransomware is simple. Usually it sneaks into a system disguised as an email attachment and, if opened, then proceeds to encrypt the files on your machine. When this has completed the virus deletes itself and tells the user that their data has been taken hostage and will only be released if they pay the demanded ransom for a key. These style of attacks were first reported in Russia back in 2004, with the Gpcode trojan horse. Security analysts at Kapersky labs were able to crack the hold Gpcode had over data by exploiting mistakes the author had made in the code.
Now it’s back and this time the encryption is rock solid.
CryptoLocker is the latest Ransomware virus to strike unsuspecting users, and so far it’s proven impossible to crack. What’s more, it doesn’t just take all the data on your hard drive.
“It also searches for files on all drives,” reported Steve Gibson on the Security Now podcast, “and in all folders it can access from your computer: including workgroup files shared by colleagues, resources on company servers, and more. Anything within its reach it encrypts…so if you have hot online backups they’re victims of this. Essentially the more privileged your account is, the worse the overall damage will be.”
When all of this is completed, Cryptolocker puts up its money demand page, complete with options of payment (Bitcoins or MoneyPak), usually for around three hundred Euros. There’s also a badly worded message telling you that your files have been encrypted and that any attempt to remove the software will destroy the only key that could possibly decrypt it. In a James Bond-style moment of drama the authors place a countdown clock, normally set for 72 hours, which immediately begins to tick down to the moment your data will be destroyed forever. Photos, videos, documents, music, pretty much anything at all that is on your hard drive, all gone.
The structure of the virus is such that it’s not actually possible to create a key for the encryption, because the data needed to do so is held only by the originators of the virus.
“The RSA encryption algorithm uses two keys: a public key and a private key.” explains Kapersky lab expert VitalyK on the Securelist website. “Messages can be encrypted using the public key, but can only be decrypted using the private key. And this is how Gpcode works: it encrypts files on victim machines using the public key which is coded into its body. Once encrypted, files can only be decrypted by someone who has the private key – in this case, the author or the owner of the malicious program.”
The removal of the virus itself is of little use to the victim, and shutting down the server that holds the key will only result in the loss of the decryption tool, plus this is difficult because the servers switch location on a weekly basis. So most people who suffer a CryptoLocker attack are given the simple advice of either paying the ransom or losing the data, but like in any hostage situation you can never guarantee that the criminals will honour their terms.
Such is the increase of the CryptoLocker attacks in the UK that the National Crime Agency released a statement from its Cyber Crime unit in which it warned:
“The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular. This spamming event is assessed as a significant risk.”
The complexity and sophistication of a program such as Cryptolocker is in itself an unsettling precedent. It suggests more than a simple bedroom hacker with impressive coding skills and little conscience, but instead has traces of the fast growing underworld of professional cyber criminals.
“Something of this size…is a well organised group.” says Stephen Doherty, Senior Threat Intelligence Analyst at Symantec. “There’d be dedicated segments to this, because its such a large and focussed operation. The distribution of Cryptolocker in recent weeks is as high, or higher, than most trojans you’d see out in the wild.”
The need for resources to actually run the scam is also a clue to size of the proponents.
“There’s a lot of stages to this,” Stephen continues, “to infect so many machines on an ongoing basis, and try to process all the money in the background. You’d want a well organised team behind you.”
How to protect yourself from a Cryptolocker attack
The rise of the interconnected digital world has brought with it problems that previously existed in the physical realms. From chancers who play on the innocence of victims, up to serious organised crime that has money, skills, cruel intentions and the willingness to use them on the unsuspecting public.
Take solace though, that we do have ways to protect ourselves from these evil spectres of the web.
The first, and most obvious, is to regularly run full backups of your valuable data and then remove the drive from your computer, preferably storing it off-site. See also: How to back up your PC and laptop
Another is to create several online backups via free services such as Dropbox, Google Drive, Skydrive, etc., which usually offer versioning – and thus a way to roll back to older versions of your files.
The most important though is to never, ever open a file or link in an email or on a social website unless you’re sure it was deliberately sent by the person themselves. It may seem interesting at the time, but the results could be utterly catastrophic.
Irish Web Design – Protect yourself from CryptoLocker