Holding Computer Files Hostage
I don't know how the attackers did it, but below is probably the best way. A worm could be programmed to do it.
1. Break into a computer.
2. Generate a random 256-bit file-encryption key.
3. Encrypt the file-encryption key with a common RSA public key.
4. Encrypt data files with the file-encryption key.
5. Wipe data files and file-encryption key.
6. Wipe all free space on the drive.
7. Output a file containing the RSA-encrypted, file encryption key.
8. Demand ransom.
9. Receive ransom.
10. Receive encrypted file-encryption key.
11. Decrypt it and send it back.
In any situation like this, step 9 is the hardest. It's where you're most likely to get caught. I don't know much about anonymous money transfer, but I don't think Swiss bank accounts have the anonymity they used to.
You also might have to prove that you can decrypt the data, so an easy modification is to encrypt a piece of the data with another file-encryption key so you can prove to the victim that you have the RSA private key.
Internet attacks have changed over the last couple of years. They're no longer about hackers. They're about criminals. And we should expect to see more of this sort of thing in the future.
Posted on May 30, 2005 at 8:18 AM • 28 Comments