Cryptolocker: The evolution of extortion
Cryptolocker, the latest ransomware, may be newsworthy, but it's been hyped, too, says expert
Computerworld - The Cryptolocker Trojan is an evolution of "ransomware," not a revolutionary change from past criminal attempts to extort money from PC owners, a security expert said today.
And the recent media blitz about the ransomware has elements of exaggeration about it.
"There is a bit of hype," said John Shier, a senior security advisor for U.K.-based Sophos, in an interview today. "Actually, it's only the latest incarnation of ransomware."
Ransomware is a category of malware that, once on a system, encrypts files and then tries to convince users to pay to decrypt them so they can again be opened. The crimeware has been in active circulation since at least 2005, with traces harking back as far as 1989.
But reports of Cryptolocker, which first appeared earlier this year, have been more prominent and persistent than any of its predecessors.
Why is that?
"It's taken lessons [from those ancestors] of how to do things better," said Shier, who repeatedly argued that Cryptolocker was not revolutionary, but evolutionary in its tactics and techniques. "It's not the first to use a public key," Shier cited as an example. Public-key cryptography relies on a pair of digital keys, one public, which is stored on the victimized PC, the other private, which is not. Instead, Cryptolocker ships that private key to the cyber-criminals, who hold it until payment is received.
Cryptolocker is newsworthy for several reasons, said Shier, who ticked off the near-impossibility of cracking the encryption; the fact that each compromised PC generates its own public-key pair, so acquiring one private key doesn't help others whose machines have been infected; the encryption of not only local files, but also those on accessible networks; targeting valuable user-made content, not the operating system; and its high ransom price, which can reach into four figures.
The Swansea, Mass. Police Department, for instance, paid $650 for a pair of Bitcoins to get its files back after a PC was infected with Cryptolocker, according to a report by the Herald News of Fall River, Mass. Both Swansea and Fall River are in southeast Massachusetts.
At Tuesday's exchange rate, the Swansea Police Departments two Bitcoins would cost more than $1,300.
Sophos, however, has seen very few Cryptolocker-infected PCs among those it protects. According to Shier, of the 16 million covered by Sophos' security software, it's counted fewer than 300 infections.
Shier offered a caveat, however. "It's not that big of a deal in businesses [which is Sophos' forte] because they have other defenses in place," he said, including robust spam filters, attachment blocking and multiple layers of security. "For consumers, it would be a little worse, I think, since many don't have those kinds of tools."
Shier sympathized with those whose files been encrypted by Cryptolocker, and although he stuck to the universal advice of all security experts to not pay the ransom -- something that increases their return on investment and so encourages them to continue -- said he understood why some may feel it's the only, or at least the least onerous, solution.
Sans backups, users facing Cryptolocker are essentially out of luck, he acknowledged. While the malware itself can be relatively easily scrubbed from the system, the already-encrypted files will remain encrypted.
One piece of advice, however, might help those who see the demand in the future. "Unplug the computer immediately," Shier said, pointing out that on a desktop PC, quick action may limit the damage because it takes time for the malware to encrypt every file it's targeted.
Sadly, Cryptolocker and its ilk won't go away until there's no profit to be made. "I don't see any evidence that [ransomware] won't continue," Shier said. "It's all about the monetization. As long as there's enough profit margin enough, they'll keep doing it."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts