Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: SQUIDs |
| Terrorist Watch List: 20,000 False Alarms »
July 23, 2007
Computer security people have been talking about this for years, but only recently are we seeing it in the wild: software that encrypts your data, and then charges you for the decryption key.
PandaLabs points out that this is not the first time such a Trojan has made the rounds, citing PGPCoder as having a "long record on the ransomware scene." Ransom.A is another Trojan that presented to the user both a shorter time frame and a significantly lower bounty -- a file was to be deleted every 30 minutes unless the user paid up the ransom of $10.99. Finally, Arhiveus.A also encrypted user files, but instead of demanding money, instead demanded that the user purchase products from an online drug store.
There appears to be no information available regarding what happens when the user attempts to contact the address in the e-mail or whether the alleged decrypting software actually does the job it's supposed to do. Gostev places a strong warning on his blog, however, saying that if you find yourself infected with Sinowal.FY, Gpcode.ai, or any other type of ransomware, do not pay up "under any circumstances." It also doesn't appear as if there is currently any antivirus solution that can help decrypt the files once they are encrypted, although Gostev says that the Kaspersky Lab team is currently working on a decryption routine.
Posted on July 23, 2007 at 6:08 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The failing with this sort of thing in the past has been the "collect money" stage. Invariably it has indicated who might be responsable (follow the money axiom).
It would be interesting to see how they are working it this time.
Of course the obvious question is at what point are the authorities not interested...
If you look at all the "you have won the lottery" scams where people send money and just how many get fleaced repeatedly.
And then see how they crooks get away with it because the Police are not interested because the value of the individual crime is to low and it crosses one or more jurisdictions.
It should therefor be possible to make it work...
software that encrypts your data, and then charges you for the decryption key? I thought that was called Microsoft Office?
Well, there is no other way out than doing offline layered backups like it is taught in the schoolbooks!
Most people, even people who have lost important data, do not seem to want to learn this.
Correct me if I'm wrong, but I would say one defense would be frequent backups of data to revert to in the instance of ramsom. Granted, it would have to be frequent enough to not lose data and stored on a media unreachable by the ramsomware. But it would be one defense (I'm sure there are others).
Sorry about above--somehow I breezed over the backup comments in the linked article.
I haven't had coffee yet.
Well, Kaspersky said before that they were able to "crack" ransomeware (GPCode variants) using a 330 bit RSA key in ten hours and then a 660 bit RSA key in a short period of time. Those are certainly not long keys, but claiming that the AV industry can crack them in such short periods of time is not realistic either (If AV companies had that cracking power, we would have a much worse security problem in our hands).
It won't be long until criminals learn to implement cryptographic protocols properly (or use libraries such as openssl for that matter) and get around AV elite cryptanalysis techniques.
The main problem here is not the use of cryptography though. Blacklist-based security controls such as antiviruses, antispyware, and anything depending on updates have been known to be very limited for decades (Fred Cohen demonstrated this long time ago), it is just now that we are starting to realize how bad those controls are.
We should leave those kind of controls to the average, non-security expert, home user, since we can't expect them to properly configure complex white list controls (my mother won't have a clue if a pop-up window asks her to permit or allow an outbound connection by whatever.dll). But I don't see an excuse for big companies and organizations (other than negligence and ignorance) to still rely heavily on these kind of controls for their security.
Big companies simply should invest on a software certification process and then put appropriate security controls in place to enforce a policy that "only allows to execute that which is explicitly permitted". That's it.
Of course, I realize that current whitelist-based solutions are limited because the industry seems to have stalled in the individual user market (puting a central console to handle controls design for individual security is not what I would call exactly "enterprise" security). Ideally these solutions should integrate fairly well with software certification and patch management processes and work at the kernel level, but we are not quite there yet.
So, after all these years, we do realize that all those theories about trusted kernels and secure operating systems were useful. We were playing the "patch with less cost and apply pseudo-preventive controls" game with script kiddies, and now that real criminals entered the scene with targeted attacks we might just start to get serious about security.
Previous cost analyses were not incorrect. It really used to be more cost effective to use things like an Anti-X to deal with most attacks in the past, but those analyses are not accurate for our current needs.
As someone who's personal data reaches into the partial-TB size territory (spread across multiple machines), backup systems for home use are almost non-existent, or frighteningly expensive.
I remember when a tape drive and tape that could hold a full backup of my HD cost far-far less than a second HD, and I could put in new tapes for my incrementals off the last full backup. But that was ~15 years ago or more.
The last time I looked at a removable backup mechanism that could hold as much data as my drives do, it cost over $1k to get a tape backup system for a 250-500GB system.
External drives are probably the answer these days, but that's cumbersome.
Unfortunately, unless it's easy, and cost effective, constant backups are just difficult, and expensive. The security tradeoff for the average user is just not in the favor of making backups.
Luckily, over the last 20 years that I've been using computers, data loss has been steadily getting to be less and less of a problem. MTBF of drives is longer than the drives are in use, software is getting more reliable, and safe computing pracitices are getting easier and easier to do.
I run Macs, PCs, and 'nix boxes, and in cases, find viruses and trojans to be less of a threat than in the past. But I think that is due to changes in habits, and the increasing security of the browsers and OSs.
There may be more of them, but it seems like they are landing locally with less frequently.
But as I am an ancedotal data point of 1, that may not be a sound set of observations.
@Randy: "Looks like the encryption employed is pretty weak."
Likely. However, a ripe target may be users who are not IT experts, so it may as well be unbreakable to them.
Of course, anti-virus or anti-spyware may be able to begin decrypting if this becomes too problematic. Then they will use stronger encryption, then more countermeasures, then stronger encryption, etc. Round and round we go. Let the games begin.
@Randy, Sez Me
Interestingly, the malware authors actually know what strong encryption algorithms are - the ransom note says they've used 4096-bit RSA. But the implement a (homebrew) symmetric encryption algorightm with a hard-coded key.
You have to wonder what the heck is with these people! Encrypting a file is not hard, and they've had how many tries and not gotten it right? They wouldn't even have to write the encryption routines themselves, there are libraries they could use.
> The last time I looked at a removable backup mechanism that could hold as much data as my drives do, it cost over $1k to get a tape backup system for a 250-500GB system.
Use a set of ordinary HDs as your removable media. See the URL for one way to do this.
It looks like programmers can't resist coming up with "teh greatest" encryption system then, which provides more fodder for this blog.
If Windows Home Server takes off, then backups may become more prevalent. Of course, then ransomware would become a bit hard to pull off when it's $$$ vs. a 2 hour (or however long it takes) restore from backup.
just don't pay :) it's a pretty simple solution
I don't understand why the ransomer bothers to encrypt the data at all. It would be simpler to just overwrite the data with random numbers and *CLAIM* to have encrypted it with some unbreakable scheme.
If the victim pays, it's not like they can ask for a refund.
if the writer can't produce the plaintext, then that news would get out quickly, and far fewer people would pay.
Assuming the writer actually got the crypto right (in principle easy), came up with a way of taking payment without being busted (much harder) and came up with a good mass-distribution mechanism (probably somewhere in between), there would be a huge number of people willing to pay - but probably only if it was confirmed that the attacker was reliably getting people their files back.
By reading this post, you have been infected with the Amish virus. You are honor-bound to delete several random files on your hard drive. Thank you. Have a nice day.
I don't see that the reputation of the writer is a factor. It's possible that a writer may have a bad reputation for not returning plaintext, but no former victim will ever endorse a ransomer even if he *did* return their plaintext after payment.
This then becomes a problem like spam: infect as many computers as possible, and hope that a few victims will pay.
Bonus points if you steal their data first and then use it to tease them... or for blackmail: "We'll send your browser history to your boss/spouse" unless you pay up.
A similar event is happening with the proliferation of kidnapping in Iraq. The victims families are extorted for ever higher amounts of money, but (unfortunately) almost none of the kidnap victims are ever returned alive. "Trustworthy" kidnappers do not advertise.
@clive: Collecting the money in this case is certainly the most difficult, but what if the "payment" took some other form? In particular, the virus informed the user it would decrypt files at random for a certain duration of time in exchange for using the computer resources (spamming, DDoS, other other nefarious purposes :-)
Another interesting application might be distributed attacks on an asymmetric key. The key you use to encrypt all of the users file is the public key of some adversary whose private key you want to recover. The infected machines then work as a part of a distributed computing network to recover the private key. For widespread enough infections and a small enough key, it might make sense for users to let the virus run it's course.
@Justin: Using a bot-net for distributed attacks is an interesting application. However, most victims who knew their computer was compromised would probably freak out and unplug.
Isn't that why today's bot-nets do not hog system resources? If the victims don't experience any processor/network lag, they won't dig deep enough to know they've been compromised.
For those suggesting complicated (to an ordinary user) backup schemes, those that know how to do this likely know how to secure their machines also. Not saying you can't make a mistake if you know what you are doing, but it's definitely less likely to occur.
In every ransomware discussion there are someone arguing that one should not pay, because it's no guarantee that the evil-doers will give you your data back.
The problem here is the false assumption that the evil-doers primary objective is to be and exercise evil.
Their ultimate goal is money and it makes perfect sense to treat their "costumers" (people with filenapped data) well.
When average joe has his data filenapped he can choose to
A) invest time and effort into restoring the files without paying the ransom with additional risks such as loosing it all (anti-tamper-ware or something).
B) pay up, the perceived price(or cost) of paying up is Ransom / (How likely you think you are to actually get your data back). The ones arguing that they would not pay is simply because they have little faith that their data will be restored, and hence has a very high perceived price.
I'm no economist, but I think it's fair to assume that joe will choose whatever seems cheapest. Then, in order to maximize their profits, the ransomware operators can use methods to either decrease the cost of their "product" or increase the cost of the alternative.
The easiest way to get happy costumers is to give them exactly what they want:
- Easy, timely and reliable restoration to pre-ransom state.
And that is an incentive of the "evil-doer", whether it is strong enough and has high enough ROI to be worth doing is another discussion :)
Q. Do passengers carrying breast milk need to taste it to prove it is not a liquid explosive?
A. No. We will not ask a traveler to taste breast milk.
I can't believe I'm reading this from official source. Whole thing is a huge joke. I feel sad for all Americans, and am very disappointed that rest of the world had to follow and adopt these silly rules. It's only good for terrorist government that wants to keep its citizens hostages, afraid that at any moment they might break a rule or law and be sent to very dark place where no human right exist.
I would be tempted to believe on the evilness of the datanapper.
My rationale would be that
1) in order to be effective the encryption would need to be asymmetric having public /secret key pairs.
2) my data would not be sent to datanapper on any point (it would cause logistical problems on the side of the datanapper + trust problems on my side as the data would be now exposed to 3rd parties on transport)
3) If I was being sent the secret key what would prevent me from sharing it. Again - generating multiple public/private key pairs would be efective but would require lot's of effort on attackers half.
As to all above - it would be just plain easier not to bother with it but to scramble my files on unrecoverable manner and claim to have applied very sophisticated encryption
While I agree that the datanapper's goal is to get money, I disagree that their relationship to the victim is that of a customer/vendor.
There is a psycological disconnect where the average person might think of the ransomer as a businessman, but that is simply because the average person has never dealt with a true criminal before and will mis-categorize it into the customer/vendor relationship which they relate to on an everyday basis.
Extortionists are criminals, pure and simple, and cannot be trusted to provide any service. They have already stolen your data. Are you going to give them your money too?
If you do give in to the ransom demand, how do you know they won't just do it again, or just ask for more money?
They will give the appearance of treating their "customer" well, when in reality they are just angling for more money. In that regard, they are closer to the 419 Nigerian scam, which is based on social engineering and the acquisition of (undeserved) trust.
Of course, the moral reason why you shouldn't give them your money is because they will use it to expand their operations and extort someone else.
I'd think it wouldn't be very difficult to come up with a reasonably secure encryption scheme to really make it practically unbreakable.
(note: I guess the "everybody can invent a scheme he himself cannot break" rule applies here)
(Is there a naming convention for keys?
Here, "Ap" means the public part of keypair A, "As" stands for the secret key of the pair)
1) distribute a public key with the trojan. (Ap) This key is the same for every instance of the trojan.
2) on the infected computer, generate a keypair (pair B), and a key (K) for symetric encryption.
3) Use the key K to encrypt the user's data
4) Encrypt key K with the public key Ap and private key Bs (generated in step 2). Store the result, and destroy key K.
5) When the user pays the ransom or whatever was the purpose, have him send the encrypted key K and public key Bp.
6) Since the attacker has private key As, he can decrypt key K and send it to the user. This key can only be used for this particular user.
Assuming a tested (open-source) crypto library is used, which we assume has no big known vulnerabilities, the scheme would seem secure (at least to me). I would think the weakest part of the scheme would be the proper destruction of key K.
Even if the encrypted and plaintext keys K of many users would be collected, there would probably not be enough data for cryptanalysis, since the key can be relatively small.
Figuring out how to collect the money without getting caught is left as an exercise to the reader.
@Stian Ovrevage: Microsoft doesnt produce value for money to keep customers happy, why would a malware author...?
I'd think it wouldn't be very difficult to come
up with a reasonably secure encryption scheme
Why bother? If you want USD 10.99 for decryption, you don't expect to deal with very sophisticated victims. ROT13 would be adequate for an ``honest'' datanapper. (For the dishonest ones, as suggested by @xrey, just trash it.)
I don't think your keypair B is necessary - the attacker doesn't care if the encrypted symmetric key is discovered, nor if the decrypted symmetric key is discovered once payment is received (nor does the victim, although they might want to hide the entire fact that they fell victim).
It would be enough to generate a random K, encrypt the files with K, present the victim with ENC(A_pub, K), and delete K and all the plaintext files.
The victim then sends the attacker payment along with ENC(A_pub, K); the attacker decrypts with A_priv, and sends back K.
I think you are right; I was thinking of the usual public/private and private/public key combinations. Keypair B is not actually used to keep anything secret.
My understandig of asymmetrical cryptography is not sufficiently thorough to say if the second keypair is actually necessary. I guess you could just use static keys, or simply set both to 0. (0,0 would be a valid, although rather weak keyset, wouldn't it?)
I was thinking this might introduce a new vulnerability, or at least aid cryptanalysis, since all keys K are encrypted with the same public key. I'd guess brute-forcing might be more difficult if a different keyset B is used on every compromised system.
Of course, if brute-forcing is a viable option, you (as the attacker trying to extort people) already screwed up.
The system hooks installed in order to capture events in order to generate the keys might give the trojan away (as it would be something all trojans of this type would need to do), but that doesn't really matter since you need to generate key K anyway.
I wonder if you would really need any invasive and obvious system hooks to gather entropy, perhaps the information supplied by less obvious system calls, accumulated over a the course of a few minutes or even hours, along with network traffic and such things, would be sufficiently chaotic to generate a reasonably secure key.
Of course, this would theoretically more predictable and therefore less secure, I'd think it would be good enough for this purpose. Since the victim typically only finds the trojan after the damage is done, it is to late to capture the data the trojan used to generate the key.
Would it be possible to detect this type of trojan by its key generating behavior? Also, what would be the least intrusive and least detectable way to generate a sufficiently secure key?
One rather minor problem with this trojan would be that all the encryption has to be done without any interruptions (reboots), otherwise key K will be lost (since it should not be written to the harddrive unless encrypted). One simple way around this would be to store the encrypted key K before beginning encryption of the files, and upon reboot, generate a new key K and continue encrypting files that have not already been encrypted. The user would then need to send multiple encrypted keys, one for each session. The attacker would need to find a way to figure out which of the keys was used to encrypt a specific file. This can of course be stored in the header. Alternatively, a small section of the file could also be stored in plain text, so that each key in the set can be tried until the right one is found.
I am rather interested in how the attacker would collect the money without getting caught. Does anybody know if anyone ever got away with such a thing? I can't think of any way of transferring money, especially from such a large number of victims, which can't be traced to the recipient.
Rot13 might be sufficient, to disturb most victims, but the AV-Industry would have an easy job, offering a solution.
If the victim knows, the file in "my documents\sarah" is a word-xy-document, containing the words "love you" "kiss you", wouldn't that make decryption much simpler, and help in decryption of the rest of the files?
I'm not an expert in cryptography.
Then: Placing a honeypot-pseudodocument, just containing 1000 blanks in your home: wouldn't that make decryption and gaining the key just more easy?
Of course, not klicking on emailattachments is just more easy, to avoid the problem at all.
Most victims don't go public - do they?
Clicking that damn "vanessa.jpg[.exe]", and find documents encrypted - "Haha".
You paid for decryption? "Hahaha! You fool!"
Nothing happend? "Hahahaha - stop it!"
If you have some experience with cryptography you should really look at the book Malicious Cryptography by Adam Young (http://www.amazon.com/Malicious-Cryptography-Cryptovirology-Adam-Young/dp/0764549758). It might be a bit technical, but it presents interesting ideas and solutions to this kind of malware, even though I'm way behind on the most sophisticated math examples presented in it :)
@Woody: "External drives are probably the answer these days, but that's cumbersome.
Unfortunately, unless it's easy, and cost effective, constant backups are just difficult, and expensive."
I use a Maxtor "One Touch" USB drive. I'm sure other manufacturers make similar equipment.
You can easily swap drives for an off-site rotation, if so inclined, and the drives are reasonably priced (well under a buck per Gig). But even the lazy-ass home-user approach works pretty well: Just leave the thing plugged into one of your USB ports, but turned off (a nice rocker switch on the case). To take a backup, turn it on, and press the button on the front of the case. This causes the driver to start the backup software (Retrospect, with the Maxtor). In my case, at least, I can generally continue using the computer while the backup is being taken.
I have had occasion to do restores from these backups - it is surprisingly painless to selectively restore just a few files, or a directory structure. I haven't tried a full restore, however.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.