Schneier on Security
A blog covering security and security technology.
« Analysis of the Witty Worm |
| Major Israeli Computer Espionage Case »
May 30, 2005
Holding Computer Files Hostage
This one has been predicted for years. Someone breaks into your network, encrypts your data files, and then demands a ransom to hand over the key.
I don't know how the attackers did it, but below is probably the best way. A worm could be programmed to do it.
1. Break into a computer.
2. Generate a random 256-bit file-encryption key.
3. Encrypt the file-encryption key with a common RSA public key.
4. Encrypt data files with the file-encryption key.
5. Wipe data files and file-encryption key.
6. Wipe all free space on the drive.
7. Output a file containing the RSA-encrypted, file encryption key.
8. Demand ransom.
9. Receive ransom.
10. Receive encrypted file-encryption key.
11. Decrypt it and send it back.
In any situation like this, step 9 is the hardest. It's where you're most likely to get caught. I don't know much about anonymous money transfer, but I don't think Swiss bank accounts have the anonymity they used to.
You also might have to prove that you can decrypt the data, so an easy modification is to encrypt a piece of the data with another file-encryption key so you can prove to the victim that you have the RSA private key.
Internet attacks have changed over the last couple of years. They're no longer about hackers. They're about criminals. And we should expect to see more of this sort of thing in the future.
Posted on May 30, 2005 at 8:18 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
There are ways to send the money without a formal destination account. Services that have a similar interface like a Postal Check to a (well chosen) foreign country should do the work.
You don't even need to do steps 2-7: As german computer magazine c't pointed out, most hard discs nowadays (ATA/SATA) have built-in encryption. Just break into the computer and set a password, voilà.
The only problem is to leave the ransom note.
Hard discs don't have encryption built-in...just a password protection feature that is easily abused.
Hardware-based encryption is far more expensive to implement than the basic password protection system used in harddrives and not a feature on any commercially available hard drives I can think of.
This type of attack may be mostly mitigated by keeping good backups. To ruin them you need to sit there for a long time and destroy backups as they are made.
Anybody who would pay the ransom would be a fool.
Even if the attacker gives you a key to decrypt part of the data, to prove is intention to "give your data back", there will be no garantee that he will give you the key for the rest of the data.
If someone is mean enough to attack you in this way, why would you trust him anyway.
As Arik said, the only defense is to have backups. Which is a good idea anyway as I'm pretty sure that right now, you have more chances of having your hard disk crash than to be the target of such attack (that may change in the near future though).
As for the exchange of money, they are plenty of way that can be done (rember, we deal with a bad guy who probably can use some stolen identity to open bank accounts). If someone is willing to pay the ransom, he will probably do it in a really short time frame (I assume that the longer the data is held hostage, the more it will cost the victim in term of lost of revenue and/or productuvity), probably before the autorities can react.
There's a very good reason for a criminal to send the key in exchange for the ransom. Namely, the criminal would be much more likely to be paid after the first round of attacks.
When I first heard of this new virus attack, I thought "how lame is that - all you need to do is restore your compromised files from the backup". It further occurred to me that anyone diligent enough to make regular backups would probably be equally diligent with their AV software, so wouldn't succumb to the infection in the first place.
But thinking about it further, I reached the conclusion that such people are in a minority. If you're reading this, you're probably in that minority (being interested in crypto/computer security) - but the 'average' internet user won't have sat down at some point and decided to implement an effective backup solution.
I think there will be many non-technical folk who will be at real risk of losing data because of this. And because they don't have backups, some victims will feel desperate enough to hand over money in an attempt to get their data back.
It's a similar story with phishing - some people are *still* falling for it - and the banks are still reporting losses caused by it. But at least with phishing the banks generally cover the loss (albeit grudgingly) - with this virus it's the victim's own money that is being handed over.
There will probably be the usual copy-cat viruses, but it wouldn't surprise me if this 'con' simply became yet another component of the mainstream viruses, along with things like keylogging and backdoor opening. Just another technique to extract something from the victim - be it data, bandwidth, or in this case - hard currency.
Actually, it is a quite a philosophical question - if you have a real untraceable tool to receive the payment, you can blackmail ANY amount from ANYBODY using ANY pretext schoolboy can invent. It is a really HARD problem breaking the traces on money trail. Even if you go to bank with "stolen identity" your face is recorded on video survelliance. If you steel more than hundred grands, sending "abroad" just does not work - following steps "abroad" becomes quite economically efficient even in this price range.
I would recommend everybody reading details about Belfast Northern Bank Robbery (happened about the last christmas). They managed to steal 30+millions CASH, but it was a GREATLY planned military operation.
They are very deep into details - they cut hair short in order not to leave DNA-identifiable traces, they put all the clothings used in the process in the fire etc.
My point is - to have this system of extortion-moneys-receipt working, you need the same degree of care for every small detail. And it is REALLY HARD WORK.
Nice idea, but I simply don't see why a victim doesn't just use its backups. Another thought is the attention all this wiping is certainly going to arouse. I don't know about you, but wiping really takes a lot of ressources on my machine if done properly and the first thing stupid end users like to complain about is that their computer seems to be so slow at a sudden.
Problem is even if you do it with a worm, even if there's no backups and even if there's something worth any cash on the disks you still have to leave contact information on the compromised machine (maybe put a text file on desktop named "readme if you want your files back.txt"). That would already make it almost impossible for the attacker not to get caught.
Would probably work better for terrorists: release worm, demand something and then make the private key public (or release a program with the private key builtin for decrypting all the files).
On Slashdot, there was mention of the "Casino.2330" virus that existed years ago. This virus erased the FAT (file allocation table) from the disk after copying it into memory. The virus then displayed a slot machine game and invited the user to play. The user had to win the game for their FAT to be restored. See http://www.avp.ch/avpve/file/c/casino.stm
In 1989, a mailing consisting of a floppy disk and a license was sent to 20,000 recipients. The software on the disk provided an assessment of the user's risk from HIV/AIDS. Users were encouraged to install the software. However, a hidden mechanism in the software would encrypt and hide files on the user's system after a delay had passed. The included license warned (in very small print) of "most serious consequences" for violating the license. Users were supposed to send a license fee to a PO box in Panama for "PC Cyborg Corporation." A one-off license cost $189 and a lifetime license cost $378. Those who paid the license fee would receive a "renewal software package." The originator of the software was located but was found unfit to stand trial. See the "AIDS Diskette" entry at http://www.virusbtn.com/resources/...
Regarding step 9: There was an incident where an individual was trying to extort money from a dairy company. They had already carried out an act of product tampering against this company. The individual demanded that bank card details for an account be embedded in an image file. This image file was to be posted on a public web site. Sometime afterwards, the image file was downloaded via an anonymity proxy service. However, the anonymity service cooperated and identified the individual who had downloaded the image. See http://www.theregister.co.uk/2004/03/24/...
You wouldn't really need to accept any payment, just have the virus ask for a credit card number and perhaps some other personal information and then send it to an IRC chanel which the attackers can watch.
Plus you don't really need such a fancy encryption algorithm, anybody who would actually make the payment is unlikely to know how to clean their computer of the most basic virus.
These guys should be charged with ilegal duplication of a business model.
DRM and trusted computing are all about holding users' data hostage, how dare they copy that without paying royalties?
Once your data is 'protected' so that only 'trusted' applications can use it, this sort of thing will be commonplace, but it will be done by big companies, and therefore will be seen to be legitimate.
Want to keep accessing your data? Well, you'll just have to keep using our software to do it. Oh, and we're switching to a leasing model, so just leave your credit card details after the beep and we'll automatically take what we want.
You think it's tough breaking your data our of proprietary formates today, wait till it's encrypted and DCMA protected!
Here's a nastier variant:
1) Malware encrypts files, but decrypts them on the fly when the user accesses them - so far, the only symptom is a performance loss
2) Diligent user backs up files - not knowing they are encrypted.
3) 3 months later, the malware deletes its decryption key and issues the demand. Now even with backups, you stand to lose at least 3 months data, and even diligent users are likely to have reused their backup media over that time.
A weakness (from the criminals point of view) is that there is a period of time when the decryption key must be stored on the computer - if the user realizes what is happening (e.g. tries to read the backup media on a different machine) then forensics should be able to recover the key.
How does the malware know it's a backup program accessing the file?
In a DRM/TC-enabled world all this would be a feature of the system. All you need to do is change the policy on the files to say "deny access after unless authorised by ". The system would then do all the hard work for you.
If there is a way to circumvent this sort of thing, then DRM/TC is useless because the same techniques can be used to illegally copy anything.
If there is no way to circumvent this sort of thing then DRM/TC might just be the biggest and best weapon in the malware-writers arsenal.
"deny access after <some date> unless authorised by <bad-guy>"
input filters ate my < > 's
The problem executing step 9 is that the user has time to start countermeasures. A much simpler variant could be self-contained: the user would have a limited amount of time to activate the money transfer (5-20 minutes), the decryption would be done automatically after verification of the transfer.
With a reasonably short time frame, the user cannot contact anyone to a) help stop the encryption or b) trace the money transfer. Additionally, a back-link is not required. Users without credit cards/paypal, etc will have tough luck. The amount should be something the user can afford to loose quickly (ie. $100-200).
The only remaining problem would be the money transfer: if credit cards are used, it could be blocked/refused afterwards.
The next step would be to accept "payment" in other "currencies", i.e. things that are worth an equivelant amount of money to the attacker (and which can be verified online): e.g. Identity information (names, addresses, ss-no's, etc.). How would "Joe User" feel when he has the choice of either transferring $200 or entering all his personal data? Which would he choose? How much would the personal data be worth?
Step 9 could be achieved by indirect methods. Lets say you do this to a Fortune 500 company and demand that they issue notification stating that their next quaterly results are propably declining. You would collect ransom by short selling the stock. Government could be blackmailed to raise/lower interest rates, but that would propably require nukes, or sharks with lasers on their heads.
Those holding the data hostage not only now know the data since they own a copy, they could also manipulate it in their favor before giving it back.
If IT got lazy and didn't backup copies and verify the copies were backed up correctly, it's time to call a loss and learn "the lazy work twice as hard". Paying the ransom would only show weakness and it is likely it wouldn't be the last time this weakness is exploited.
I have encoutered entities such as lawyers and doctors that hold their clients data on their personal office PCs that are hooked up directly to the net san any type of AV or FW. If that isn't scary enough, just watching them look at you with eyes glazed when you ask them when their last backup was put on removeable media... is. In the end they blame their problems on "hackers" when the real problem is facing them in the mirror.
An old virus named Onehalf (or Slovak Bomber, Explosion-II or Freelove) also encrypted the hard disk, using stealth technology, in 1994. It is too old to work on Windows 95.
Every time an infected computer is booted, the virus encrypts the last two unencrypted cylinders on the hard disk. When information is retrieved from the encrypted area, the virus decrypts it on the way. The key is stored in the MBR only. (citation from http://www.f-secure.com/v-descs/one_half.shtml)
> The only problem is to leave the ransom note. (Anonymous May 30, 2005 09:05 AM)
Solution : print it on available printers !
"Anybody who would pay the ransom would be a fool."
And the reason nothing will ever be made foolproof is that they keep inventing bigger fools. And not only the technically inept could fall victim to this. I am willing to bet that there are regular readers of this forum who lack a backup which would meet their own criteria for best practices.
All those people saying "just restore from backups": note that with the rise of DRM, people will have increasing numbers of files which are already encrypted and whose key management is designed to resist backups. It's not immediately clear to me how to attack these systems, but I suspect ways will be developed.
"You have $1,000 of music purchased from iTunes. You will not be able to access this until you pay us $100."
"You have $1,000 of music purchased from iTunes. You will not be able to access this until you pay us $100."
Fortunately at the time you were using PyMusique...
How does the worm know which files to encrypt and which to leave alone? If the worm encrypts the entire hard disk, or all files on the file system, the OS would be unbootable and the user would be unaware of the ransom demand.
If the worm was set to only encrypt certain files, say, all the files in $HOME or "Bill's Documents", then there is a good chance it will accidentally encrypt a file which is readily available in an unencrypted form, or where details about the plaintext are known. Plaintext fragments of the files may also exist in deleted areas of the filesystem.
In this situation, an antivirus live CD could be created to use the known plaintext and attempt to decrypt the user's data (naturally, this would be dependent on the AV developer analysing how the worm does the encryption in the first place)
@neko: ever heard of TrueCrypt? It can encrypt even the OS, and it still works transparently...
Sad thing here is, TrueCrypt is open sourced, so hackers could just use that code to encrypt your data!
Now, windows hdd is holding my ram space hostage but they, or someone using windows hdd, is offering to fix the problems if we pay for their service.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.