In the future, hackers may make ransomware so complex that it is beyond the decryption capabilities of the anti-virus industry, according to a new report from Kaspersky Lab.
The report, Malware Evolution: April June 2006, Hidden Wars, warns that authors of ransomware are pushing the boundaries of modern cryptography by using ever-more sophisticated encryption algorithms.
Ransomware involves the use of malicious code to hijack user files, encrypt them and then demand payment in exchange for the decryption key.The first piece of ransomware to use a sophisticated encryption algorithm, Gpcode.ac, was detected in January 2006 and used the RSA algorithm to create a 56-bit key. Since then, the author of Gpcode has released several increasingly complex variants of the virus and in June released Gpcode.ag, which used a 660-bit key.
We were able to decrypt 330 and 660-bit keys within a reasonably short space of time, but a new variant, with a longer key, could appear at any time. If RSA, or any other similar algorithm which uses a public key, were to be used in a new virus, anti-virus companies might find themselves powerless, even if maximum computing power was applied to decrypting the key, warns Aleks Gostev, senior virus analyst, Kaspersky Lab.
Unfortunately, the authors behind the Gpcode, Cryzip, and Krotten ransomware have still not been apprehended. However, even if they are arrested, theres nothing to prevent other malicious users from implementing such techniques in order to make money, says Gostev. In the mean time, anti-virus companies have to continue working on proactive protection which will make it impossible for malicious users to encrypt or archive users' data.
Kaspersky Lab advises that all documents, data and email databases are backed up on a regular basis.
[Do follow the links below - extremely interesting reading! This type of thing is best countered by a good back-up strategy. It is not sufficient to have one back-up of sensitive files and then overwriting that, because you easily risk backing up the encrypted files, thus destroying the original ones. You should circulate back-up media so that you have at least three sets of back-ups before you overwrite the oldest set - and store e.g. one set weekly for one month. If you use incremental back-ups then make sure your program still works that way when a file is replaced completely.
Incidentally, this type of blackmail is less viable in the more heavily regulated Western countries because concealing the payments would harder, in fact require a good level of knowledge about how the financial systems work. --Ed].
Related links: (Open in a new window.)
www.viruslist.com/analysis?pubid=191951869
www.viruslist.com/en/analysis?pubid=189678219
View printable version (opens in new window)
Back