On December 1989, several thousand diskettes labeled “AIDS Information – Introductory Diskette Version 2.0” were delivered to users around Europe luring the users to install a software that contained information about AIDS/HIV claimed to come from PC Cyborg Corporation. After installing the software the trojan horse would start encrypting sections of the hard drive using substitution ciphers. Following a reboot a message would be shown to the user that the software license had expired and the user would need to send 189$ to a post box in Panama to get his files back. This was the first extortion based attack relying on cryptography. Not long after a decryption routine was made available to help users get their files back. This was possible because the trojan horse relied on weak symmetric encryption [1].
Malicious cryptography evolved and back in 1996, Adam Young and Moti Yung published a paper on the 17th IEEE Symposium named Cryptovirology: Extorsion based security threats and countermeasures. A influential paper that presented the idea of cryptovirology and demonstrated the offensive side of cryptography using asymmetric encryption. One of the offensive method described in the paper consists of an extortion based attack that will result in loss of access to information. This is accomplished by the cryptovirus: A cryptovirus (cryptotrojan) is a computer virus (Trojan horse) that uses a public key generated by the author to encrypt data that resides on the host system, in such a way that can only be recovered by the author of the virus (assuming no fresh backup exists). Years after, the security industry started to see more of this type of extortion based attacks such as the GpCode trojan initially seen in 2004 by security software company Kaspersky. Some variants claimed to be using strong asymmetric algorithms such as RSA but they used weak algorithms allowing researchers to retrieve the users files. Michael Ligh had a nice write up on one of these variants here and more recently the security researcher XyliBox also dissected one of these samples.
Last year and this year the security industry saw a uptick in malware connoted as ransomware such as variants of Cryptolocker, CryptoDefense and Cryptowall. Dell SecureWorks Counter Threat Unit have great write up here and here about these threats. These extortion based attacks gained popularity due to its spread using effective phishing campaigns – check Brian Krebs on Operation Torvar – and new techniques relying on strong encryption to make your most important files useless. New variants of ransomware even take advantage of asymmetric cryptographic protocol ECDH – Elliptic curve Diffie–Hellman. Essentially the files are encrypted with a symmetric key and this key is then encrypted with a public key which can only be decrypted by a private key belonging to the attacker. To get this key the users are persuaded to pay a bounty using virtual currencies such as Bitcoin. The security company Bromium recently published an interesting analysis report about the crypto malware families seen in the past 18 months.
What can you do? The most effective defense against these type of threats is to have proper backups. This type of malware has the capability to encrypt any attached storage such as USB drives or network drives – make sure you do your backups and keep that external drive disconnected. You back up your data once a day, right? at least weekly? maybe monthly? For enterprises the tools and processes used to backup and restore information in a timely manner need to be in place. Please note that Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state however the newer variants of this malware delete shadow copies and disable the service prior to encrypting the files.
Other things can be done, like educating users to not open attachments or links in emails from unknown senders and be suspicious about unexpected attachments and links from known senders. Also make sure to keep your software updated. Other techniques might include hardening your system using Microsoft AppLocker to introduce software whiltelisting.
[1] Szor, Peter (2004) The Art of Computer Virus Research and Defense. Addison-Wesley
Count Upon Security 