Comments

Marcos El MaloMay 28, 2015 4:41 PM

But of course!

Classic Internet.

@p2p

"ExtortionStarter" just doesn't have the same ring to it. RansomGoGo is even worse.

SeriousQuestionMay 28, 2015 5:22 PM

Is it possible to have undecryptable encryption?
A one time encryption that cant be reversed?

Marcos El MaloMay 28, 2015 5:38 PM

@SeriousQuestion

This is a zen question. If it is impossible to decrypt, then no one can read it. Presumably you want to communicate information to someone, or be reminded later, at which point the information will be decrypted.

By the way, you might want to save your other serious off topic questions for Friday's open thread. Look for the squid.

NoseGoesMay 28, 2015 9:29 PM

@SeriousQuestion

Encrypted data that can't be decrypted is essentially destroyed data. So yes, a one time encryption that can't be reversed does exist, but it's called "data destruction."

Clive RobinsonMay 29, 2015 1:29 AM

@ SeriousQuestion,

Is it possible to have undecryptable encryption?

Yes, quite easily, use a One Time Pad and then throw away the Pad. You can easily prove that all the information is still there, BUT is unreachable because all messages of equall length are equiprobable.

Which gives rise to a question in return which is "Why would you wish to do it?", I can think of a few but it would be interesting to know why you thought about it?

WinterMay 29, 2015 3:23 AM

@Clive Robinson
"You can easily prove that all the information is still there, BUT is unreachable because all messages of equall length are equiprobable."

That also makes for great "Plausible Deniability".

When creating a OTP encryption, XOR the crypttext with some plausible data that you do not care much about. That becomes the "alternative" OTP key you will make "discoverable" when the police (or "competitors") come knocking down your door.

DavidMay 29, 2015 3:30 AM

The really scary thing about this is that whilst the usual actors in the ransomware space have a commercial interest in providing the unencrypt service many of the people who could use this service will be just malicious and will have no interest in, or will be incapable of providing, the data restore aspect.

WillMay 29, 2015 5:05 AM

Presumably the system takes a cut of the proceeds? So free to sign up, but with a service charge thing.

ZenzeroMay 29, 2015 5:55 AM

@ Will

exactly, he takes a 30% cut out of whatever you select the random to be (in BC). McAfee was in error stating a 20% fee.

“The most important part: the bitcoin paid by the victim will be credited to your account. We will just keep a 30% fee of the income, so if you specify a 100$ ransom, you will get 70$ and we’ll get 30$, isn’t this fair?”

They've also setup a twitter account now, thanking McAfee for the free advertisment...

irungentooMay 29, 2015 10:18 AM

For a minute, I thought he meant my messenger program.
Was about to go off for a bit there.

albertMay 29, 2015 10:42 AM

I wonder if it's possible to put this guy out of business? He obviously thinks he's more clever than anyone else. What he's doing is clearly illegal.
.
...

AnonieMay 30, 2015 8:26 AM

I'm wondering how this will interact with "insider" tech workers being laid off for H1-B visa folks. The old guys being fired may take a payday. Or the new guys, knowing they'll be replaced in just a year or two, and returned to their country of origin outside of U.S. jurisdiction, and that the old recently-fired guys will get the blame...

It's wrong and immoral and all that. But the personnel interactions and consequences of unethical business behavior are just fascinating.

PEtrJune 2, 2015 9:21 AM

@SeriousQuestion

The encryption in question is completely reversible (i.e. decryptable) - by the ransomware's shady operator only, however. The ransomware encrypts user's data by symmetrical cipher and then seals the symmetric key using operators public key. Only operator's asymmetric key decrypt the key.

SteveJune 4, 2015 5:36 AM

It's a predictable, but disturbing development to add to the nuisance of Cryptolocker, CTB Locker, Alpha Crypt et al.

Commercial AV and regular patching won't keep this stuff out. Attackers are more agile than corporates can be. So preparation is key. You need to ensure you have an offline back up, detect attacks quickly and have real time CSIR.

Clive RobinsonJune 4, 2015 6:47 AM

@ Steve,

You need to ensure you have an offline back up, detect attacks quickly and have real time CSIR.

I thought about what we now call ransomware a couple of decades ago, and the current methods we are seeing is what you might call stage 1 of the possabilities.

The trick is to not make a quick attack, because the damage would be minimall to the victim and they might just say 5cr3w it and wipe and start again rather than pay the ransom.

As I've indicated on this blog before, if you want maximum effect you need to be in for quite a while doing the damage, such that the pain threshold is so high the victim will do as they are told.

Thus "backup systems" are the target to get APT on. Due to the failings if humans in corporates backups tend to be centrally managed, thus the backup system is visable to all connected computers, and available to be attacked.

Due to the same human failings backups are rarely tested and even then often they are not tested properly. So getting appropriate malware on the backup system has a low probability of being detected, because people don't "test the tapes" on independent systems... Thus if your malware transparently encrypts the backup tapes, puting the tape in the infected machine to check it is not going to show the tape is encrypted.

The malware could also find out what the backup max cycle time is, thus it waits for a period longer than that before infecting and encrypting all the client machines then throwing the encryption keys away.

At various times employers have wondered why I made it a condition that I kept independent backups before developing code and hardware for them. I explained that I'd seen two companies get into real trouble because of poor backups and one had gone to the wall whilst another only survived because the disks I kept in my draw had enabled them to pull back six months of work on the then current projects I was managing. Subsiquently my policy has saved another companies engineering projects because although they had backups they were not tested and whilst admin and other more static systems got backed up the engineering systems that changed faster than projects, were not, and it was these high end systems the thieves had targeted...

Then there is insider attacks, it's not hard to find on the internet examples of employes putting in "deadmens" switches and the like. One that comes to mind was the employee who made an entire US regeions medicins issuing database unavailable.

The problem with backups is not just knowing how they could be got at but activly finding ways to test them in a reliable way and that is both difficult and a thankless task. So usually backups gets given as almost a punishment task to a junior IT person, who will see no funding to improve it and no help, encoragment or employment credit / increment from doing so.

Not all organisations are like this those with fiduciary and legal liability tend to take things more seriously. But even then you will find organisations "doing it to audit" for the likes of cost offseting / externalisation via insurance...

So I forsee plenty of milage yet in ransomware, and it will move from penny&dimes on personal users to kings ransoms larger than some third world countries GDP when larger corporates get hit. It's one of the reasons why I don't think the SPE hacking was realy anything other than a bunch of insiders out for revenge via embarrassment rather than extortion.

SYNERGYUSALLCOctober 25, 2016 8:08 AM

Out of necessity to cover our own needs and protect our clients we created an application called RansomSaver, it is an Outlook add-in and basically what it does is moves new incoming infected email to a folder under the deleted items called RansomSaver. We provide this software for free and with no strings attached.

To download or see further information regarding RansomSaver please visit http://synergy-usa-llc.com/ransomsaver-overview.html

rOctober 26, 2016 12:09 AM

@Synergyusallc,

You do know, that if you don't actually have an LLC you are committing in this case what is likely a federal felony right?

So, not only are you likely pushing something that is being false-advertised as "all" "only" or "just" by stating "what it does".

No strings, but it does likely come with a pretty thick slime trail.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.