Malware that encrypts data and demands payment to make it readable again is often called "ransomware". The first widespread ransomware was the so-called "AIDS" Trojan which was distributed by floppy disk in 1989, but it was 1996 before Young and Yung released the first comprehensive study of cryptovirology, the study of crypto-enabled malware which covered ransomware.
The pace of ransomware attacks accelerated in 2005 as new technology made it possible to realize larger profit margins. New attacks in July 2007 illustrate dangerous trends in technologies that enable cyber extortionists.
Ransoms are rising. In a 2005 incident, SecureWorks Senior Security Researcher Joe Stewart (working at that time for the pre-merger LURHQ) helped to reverse engineer the encryption algorithm and recover files held hostage for $200. In 2006, the Ransom.A Trojan was asking only $10.99 per infected computer; however, the attackers hoped to make this up in volume which failed to materialize. The latest threats demand ransoms of $300 and up.
Distribution is key. While last year's Ransom.A Trojan failed to find the distribution channel is needed to really take off, that's not the case with new threats. Mpack, a cross-browser exploitation framework, is being used to widely distribute new flavors of ransomware. New variants of the Prg Trojan installed by Mpack exploits have infected more than 150,000 users and stolen tens of millions of records. Starting in July, many of those victims have had files encrypted by the Trojan, which left behind a ransom note:
Hello, your files are encrypted with RSA-4096 algorithm
(http://en.wikipedia.com/wiki/RSA).
You will need at least few years to decrypt these files without our
software. All your private information for last 3 months were
collected and sent to us.
To decrypt your files your need to buy our software. The price is $300.
To buy our software please contact us at: [email protected] and provide us
your personal code 172265880. After successful purchase we will send
your decrypting tool, and your private information will be deleted
from our system
If you will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
Glamorous team
Another new Trojan installed by some Mpack attackers archives the victim's data in RAR files and seals them with a password before uploading them to the attackers' servers.
These illustrate new factors that point to a rapidly growing trend in ransomware:
While cracking the actual algorithms used by the Prg 'Glamour' variants and the RAR format is possible, most end users don't have access to researchers skilled in reverse engineering and password recovery. Even that won't help if the data has really been scrambled using strong public-key encryption. At that point, victims may be forced to negotiate with these extortionists, but there's no guarantee they will deliver the data after the ransom has been paid. Chatter in the hacker underground indicates the incorporation of strong public-key encryption is already in progress.
Today, many large companies still do not back up the data on user's workstations. While many corporate users are urged to store documents on servers and shared drives, many still work from local disks targeted by this ransomware. Home users are even more at risk; nearly half report that they do not make back-ups at all.
With these types of attacks, prevention is paramount. Active tracking and analysis is key to spotting changes in attack methods that could leave one vulnerable. IPS can block the characteristic behavior of exploit frameworks like Mpack and the downloaders used to install the Trojans. Deployment and maintenance of IPS countermeasures on the network and at the host is the best way to prevent having one's data held hostage by this new ransomware.
The pace of ransomware attacks accelerated in 2005 as new technology made it possible to realize larger profit margins. New attacks in July 2007 illustrate dangerous trends in technologies that enable cyber extortionists.
Ransoms are rising. In a 2005 incident, SecureWorks Senior Security Researcher Joe Stewart (working at that time for the pre-merger LURHQ) helped to reverse engineer the encryption algorithm and recover files held hostage for $200. In 2006, the Ransom.A Trojan was asking only $10.99 per infected computer; however, the attackers hoped to make this up in volume which failed to materialize. The latest threats demand ransoms of $300 and up.
Distribution is key. While last year's Ransom.A Trojan failed to find the distribution channel is needed to really take off, that's not the case with new threats. Mpack, a cross-browser exploitation framework, is being used to widely distribute new flavors of ransomware. New variants of the Prg Trojan installed by Mpack exploits have infected more than 150,000 users and stolen tens of millions of records. Starting in July, many of those victims have had files encrypted by the Trojan, which left behind a ransom note:
Hello, your files are encrypted with RSA-4096 algorithm
(http://en.wikipedia.com/wiki/RSA).
You will need at least few years to decrypt these files without our
software. All your private information for last 3 months were
collected and sent to us.
To decrypt your files your need to buy our software. The price is $300.
To buy our software please contact us at: [email protected] and provide us
your personal code 172265880. After successful purchase we will send
your decrypting tool, and your private information will be deleted
from our system
If you will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
Glamorous team
Another new Trojan installed by some Mpack attackers archives the victim's data in RAR files and seals them with a password before uploading them to the attackers' servers.
These illustrate new factors that point to a rapidly growing trend in ransomware:
- The success and extensibility of the Mpack kit ensures wide distribution
- Data-stealing Trojans are being retrofitted with ransomware features
- Using construction kits, attackers are able roll fresh, undetected Trojan variants at will.
While cracking the actual algorithms used by the Prg 'Glamour' variants and the RAR format is possible, most end users don't have access to researchers skilled in reverse engineering and password recovery. Even that won't help if the data has really been scrambled using strong public-key encryption. At that point, victims may be forced to negotiate with these extortionists, but there's no guarantee they will deliver the data after the ransom has been paid. Chatter in the hacker underground indicates the incorporation of strong public-key encryption is already in progress.
Today, many large companies still do not back up the data on user's workstations. While many corporate users are urged to store documents on servers and shared drives, many still work from local disks targeted by this ransomware. Home users are even more at risk; nearly half report that they do not make back-ups at all.
With these types of attacks, prevention is paramount. Active tracking and analysis is key to spotting changes in attack methods that could leave one vulnerable. IPS can block the characteristic behavior of exploit frameworks like Mpack and the downloaders used to install the Trojans. Deployment and maintenance of IPS countermeasures on the network and at the host is the best way to prevent having one's data held hostage by this new ransomware.