Cryptolocker: The evolution of extortion
Cryptolocker, the latest ransomware, may be newsworthy, but it's been hyped, too, says expert
Computerworld - The Cryptolocker Trojan is an evolution of "ransomware," not a revolutionary change from past criminal attempts to extort money from PC owners, a security expert said today.
And the recent media blitz about the ransomware has elements of exaggeration about it.
"There is a bit of hype," said John Shier, a senior security advisor for U.K.-based Sophos, in an interview today. "Actually, it's only the latest incarnation of ransomware."
Ransomware is a category of malware that, once on a system, encrypts files and then tries to convince users to pay to decrypt them so they can again be opened. The crimeware has been in active circulation since at least 2005, with traces harking back as far as 1989.
But reports of Cryptolocker, which first appeared earlier this year, have been more prominent and persistent than any of its predecessors.
Why is that?
"It's taken lessons [from those ancestors] of how to do things better," said Shier, who repeatedly argued that Cryptolocker was not revolutionary, but evolutionary in its tactics and techniques. "It's not the first to use a public key," Shier cited as an example. Public-key cryptography relies on a pair of digital keys, one public, which is stored on the victimized PC, the other private, which is not. Instead, Cryptolocker ships that private key to the cyber-criminals, who hold it until payment is received.
Cryptolocker is newsworthy for several reasons, said Shier, who ticked off the near-impossibility of cracking the encryption; the fact that each compromised PC generates its own public-key pair, so acquiring one private key doesn't help others whose machines have been infected; the encryption of not only local files, but also those on accessible networks; targeting valuable user-made content, not the operating system; and its high ransom price, which can reach into four figures.
The Swansea, Mass. Police Department, for instance, paid $650 for a pair of Bitcoins to get its files back after a PC was infected with Cryptolocker, according to a report by the Herald News of Fall River, Mass. Both Swansea and Fall River are in southeast Massachusetts.
At Tuesday's exchange rate, the Swansea Police Departments two Bitcoins would cost more than $1,300.
Sophos, however, has seen very few Cryptolocker-infected PCs among those it protects. According to Shier, of the 16 million covered by Sophos' security software, it's counted fewer than 300 infections.
Shier offered a caveat, however. "It's not that big of a deal in businesses [which is Sophos' forte] because they have other defenses in place," he said, including robust spam filters, attachment blocking and multiple layers of security. "For consumers, it would be a little worse, I think, since many don't have those kinds of tools."
Shier sympathized with those whose files been encrypted by Cryptolocker, and although he stuck to the universal advice of all security experts to not pay the ransom -- something that increases their return on investment and so encourages them to continue -- said he understood why some may feel it's the only, or at least the least onerous, solution.
Sans backups, users facing Cryptolocker are essentially out of luck, he acknowledged. While the malware itself can be relatively easily scrubbed from the system, the already-encrypted files will remain encrypted.
One piece of advice, however, might help those who see the demand in the future. "Unplug the computer immediately," Shier said, pointing out that on a desktop PC, quick action may limit the damage because it takes time for the malware to encrypt every file it's targeted.
Sadly, Cryptolocker and its ilk won't go away until there's no profit to be made. "I don't see any evidence that [ransomware] won't continue," Shier said. "It's all about the monetization. As long as there's enough profit margin enough, they'll keep doing it."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Cybercrime and Hacking White Papers | Webcasts