New Ransomware Making the Rounds
Jun 9, 2008 8:34 AM PT
IT security provider Kaspersky Lab has issued a security alert following the detection of a particularly malicious piece of "ransomware." Kaspersky researchers were the first to detect and issue warnings that a new, stronger version of the Gpcode virus was on the loose.
Even though it doesn't appear to have spread widely -- to date at least -- the new Gpcode variant poses a particularly nasty threat. If downloaded, the virus -- Virus.Win32.Gpcode.ak -- employs RSA 1,024-bit encryption to lock users out of just about every common data file format found on their PCs, including .doc, .txt, .pdf, .xls, .png and .jpg. A ransom note is then generated, instructing the victim to fork over funds for a decryption key.
Kaspersky is urging Net users to take extra precautions, make sure they are running the latest versions of anti-malware solutions and back up their data regularly, making sure to disconnect storage devices as soon as the back-up process is completed to avoid infection. If infected, do not power down or restart your PC, the company advises.
Kaspersky also urges victims not to succumb to the ransom threat and instead report details of infection to their security providers, Kaspersky and law enforcement authorities.
Second Time 'Round
"So far, the amount of infected computers is not so high, but the difference in this case is that Gpcode encrpyts all your files; that's why we're making such a strong point of getting the message out ... to individuals and in corporate environments," Roel Schouwenberg, Kaspersky Lab's senior virus researcher, told TechNewsWorld.
Kaspersky virus researchers were able to exploit implementation errors and crack the virus's encryption key when they detected the original 660-bit version of Gpcode a few years ago, which enabled the company to restore access to end users' files and data.
"We first saw a Gpcode variant about three-and-a-half years ago, but [the author] was using much weaker encryption algorithms and we were able to break the encryption key code so that our end users were able to restore their files," Schouwenberg recounted.
That hasn't been the case this time around. Kaspersky researchers have as yet been unable to crack the new version's encrpytion key, though efforts are ongoing. Hence, the only way to decrypt them is to use the private key, which Gpcode's author offers to provide for a ransom payment.
Kaspersky estimates that cracking the new Gpcode variant's encryption key would require some 15 million modern PCs (with 2-3 GHz processing speeds) running in parallel for a year. "It seems he has learned from his mistakes and created a much better method," Schouwenberg commented.
The Cyber-Criminal Mind
Ransomware is increasingly showing up on Kaspersky's and other IT security specialists' radar screens. "We have seen other, similar [instances of] ransomware over the last year or two; we have even seen it on smartphones. There was a Trojan in China encrypting smartphone files. There are more people (i.e. cyber-criminals) looking into this area," Schouwenberg said.
It appears that Gpcode's author wanted to attract as little attention as possible to his latest creation, according to Schouwenberg -- at least at this stage, and in that he is failing.
One way the author is seeking to minimize the attention Gpcode attracts is by blackmailing victims for small amounts, like US$50. Someone contacting authorities regarding a cyber-crime involving such a small sum isn't likely to receive much attention from law enforcement authorities, Schouwenberg noted.
Cyber-criminals' choice of encryption algorithm can make prevention that much harder, as well. "In this case, the Gpcode author is using RSA encryption, but others are using other key encryptors, which can make things more difficult. There are so many encryption algorithms out there on the Web -- you can just get the code and try to implement it."
Possible Virus Vectors
Though there is no real way of knowing, based on the evidence that Kaspersky has gathered to date, Schouwenberg guesstimates there may only be a few hundred computers out there infected with the new Gpcode variant. There have been no reports of infection from large organizations or of very valuable data sources. That's not to say there won't be follow-on efforts to compromise them, however.
There are a number of possible pathways Gpcode's author -- as well as other cyber-criminals -- might pursue if they find initial efforts to distribute the new variant have been successful.
"If the author thinks the attack has been successful, he may well try to infect more machines," Schouwenberg said. Alternatively, he may "decide to sell the creation, making it much easier for other bad guys to obtain this knowledge.
"We strongly urge victims to refuse blackmail, which would encourage him," he added. Moreover, there's no guarantee the author will give you a decryptor. "This person is a cyber-criminal, so why would anyone trust him to decrypt the files?"
Detection to Prevention
Detection is the first and key element and a prerequisite for prevention. Even though efforts to crack the latest version of Gpcode's encryption key have thus far proved unsuccessful, Internet users can and should take steps to avoid infection.
"We can detect it, and we have shared this internationally so that [system administrators and e-mail service providers] can also protect their users, but the most reliable method is creating back-ups of external media, which of course should be disconnected after the back-up procedure. If you leave the external hard drive running, Gpcode will infect the external hard drive and equipment. It's just good back-up practice in any case," Schouwenberg advised.
"Just like any antivirus company, if we can detect it and distribute that [capability] to customers, they can quarantine and eliminate it, but for people that have got hit -- for earlier victims we could exploit a mistake in encryption; we managed to break a 660-bit RSA encryption key. If the implementation is truly correct [this time], then the only way is to devote massive computing resources to it," he said.
What to Do If Infected
As Kaspersky goes on to explain, "After Gpcode.ak encrypts files on the victim machine, it adds '._CRYPT' to the extension of the encrypted files and places a text file named '!_READ_ME_!.txt' in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a 'decryptor.'"
Kaspersky is offering to help victims trying to recover their data. If infected, Kaspersky urges victims to e-mail the labs at firstname.lastname@example.org and include the following information in the e-mail:
- Date and time of infection,
- Everything done on the computer in the five minutes before the machine was infected, including programs executed and Web sites visited.