Ransomware: Malware Armageddon approaches

Some day soon, you may go in and turn on your Windows PC and find your most valuable files locked up tighter than Fort Knox.

You'll also see this message appear on your screen:

"Your files are encrypted with RSA-1024 algorithm.

To recovery your files you need to buy our decryptor.

To buy decrypting tool contact us at: ********@yahoo.com"

That's right, ransomware is back and it promises to be nastier than ever.

This newest way of holding your PC at hostage was discovered by anti-virus and malware company Kaspersky Lab. This new piece of malware crap is the latest variant of the venerable Windows-based encryptor virus Gpcode.

The first time around Gpcode wasn't that big a deal because it wasn't that hard to crack its encryption. This time around, a few days after the malware appeared on Kaspersky's radar, Kaspersky has been forced to look for help in busting the encrypted files.

The best part? This latest malware's private security key is created by Windows' own built-in cryptographic component, Microsoft Enhanced Cryptographic Provider. Kaspersky has the public key, but like any public/private key cryptographic method you must have its associated private key to unlock the encrypted files.

It's moments like this that make me glad I abandoned Windows for desktop Linux years ago.

So, if your files are snatched and held for ransom by Virus.Win32.Gpcode.ak, you'd better have an uncontaminated backup, or you're not getting your information back anytime soon. How long? One Kaspersky analyst estimated it would take about 15-million modern PC years to crack one (1) private key if the malware author has done his job right.

Some people have claimed that this is just a stunt by Kaspersky to get press. Roel Schouwenberg, the senior antivirus researcher for Kaspersky told me, "This is not a stunt, but a very serious threat. Some people have seen our call for help as an attempt to try and break a 1024-bit RSA key, but this is not the case. Trying to break a 1024-bit RSA key is a rather futile attempt."

But, "As we believe that we're dealing with the same author from previous versions we're looking for implementation errors in the crypto code. Implementation errors have enabled us to crack the code of the previous gpcode variants. The variant before this one actually used a 660-bit RSA key. [So, we're] asking the crypto community to help us we may find an implementation error and be able to recover user files once again. it's definitely worth the shot."

I then asked, "OK, let's say he got it right -- if he hasn't someone will get it right eventually -- then what?"

Roel replied, "Well, if someone gets it right then there's nothing we can do. Then we can only advise people to pay more attention to creating back ups."

Oh boy.

Here's how I see it, if someone actually manages to pull this up and put it into circulation, we're looking at malware Armegeddon. Instead of losing 'just' your credit card numbers or having your PC turned into a spam factory, you could lose vital files forever.

Of course, you could keep current back-ups. I do, but I've been around this track way too many times to think that many companies, much less individual users, actually keep real back-ups. Oh, you may think you do, but when was the last time you checked to see if the data you saved could actually be restored?

Your other choice will be to pay off the guy who stole your data. While uncommon, ransomware is ancient history. People have been trying it since at least 1989. The difference this time is some people may actually end up having to pay up.

If that happens, PC security is going to go from something that gets a lot of lip service, but not a lot of effort to being essential. No one, no company, can afford to have their information imprisoned for ransom.

RSS feed icon

Like this stuff? Subscribe to the RSS feed.

Join the discussion
Be the first to comment on this article. Our Commenting Policies