Ransomware (malware)
Encyclopedia
Ransomware is computer malware
which holds a computer system, or the data it contains, hostage against its user by demanding a ransom
for its restoration.
, entering a system through, for example, a vulnerability in a network service or an e-mail attachment. It may then:
In both cases, the malware may extort
by:
More sophisticated ransomware may hybrid-encrypt the victim's plaintext with a random symmetric key and a fixed public key. The malware author is the only party that knows the needed private decryption key. The author who carries out this cryptoviral extortion attack offers to recover the symmetric key for a fee.
, which only encrypted filenames with a weak symmetric cipher. The notion of using public key cryptography for these attacks was introduced by Young and Yung in 1996
who presented a proof-of-concept cryptovirus for the Macintosh SE/30
using RSA and TEA
. Young and Yung referred to this attack as cryptoviral extortion, an overt attack that is part of a larger class of attacks in a field called cryptovirology
. Cryptovirology encompasses both overt and covert attacks.
Examples of extortive ransomware reappeared in May 2005. By mid-2006, worms such as Gpcode, TROJ.RANSOM.A, Archiveus
, Krotten
, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes, with ever-increasing key-sizes.
Gpcode.AG, which was detected in June 2006, encrypted with a 660-bit RSA public key. Gpcode.AK, detected in June 2008, uses a 1024-bit RSA key, which is believed to be large enough to be computationally infeasible to break without a concerted distributed
effort.
News of new GpCode-like ransomware is surfacing and it is stronger than ever before with 1024-bit encryption.
Ransomware is widely distributed in Russian Federation and other Russian-speaking countries since 2010. Several million computers in the former USSR were infected in the last two years with malware that blocked booting of the Windows operating system or disabled Internet access until the user paid a required sum of money through special SMS numbers or electronic money systems. Very often such malware---"intended for" Russian-speaking users---displays pornographic images and text about visiting porn sites (motivating prompt payment while discouraging calling the system administrator if the infected computer is located in an office).
In 2011, a trojan application appeared, proporting to represent a Microsoft utility that checks Windows licensing. It threatens legal action and data loss if a "license fee" is not paid.
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
which holds a computer system, or the data it contains, hostage against its user by demanding a ransom
Ransom
Ransom is the practice of holding a prisoner or item to extort money or property to secure their release, or it can refer to the sum of money involved.In an early German law, a similar concept was called bad influence...
for its restoration.
Operation
Ransomware typically propagates as a conventional computer wormComputer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
, entering a system through, for example, a vulnerability in a network service or an e-mail attachment. It may then:
- Disable an essential system service or lock the display at system startup.
- Encrypt some of the user's personal files. Encrypting ransomware were originally referred to as cryptoviruses, cryptotrojans or cryptoworms.
In both cases, the malware may extort
Extortion
Extortion is a criminal offence which occurs when a person unlawfully obtains either money, property or services from a person, entity, or institution, through coercion. Refraining from doing harm is sometimes euphemistically called protection. Extortion is commonly practiced by organized crime...
by:
- Prompting the user to enter a code obtainable only after wiring paymentWire transferWire transfer or credit transfer is a method of electronic funds transfer from one person or institution to another. A wire transfer can be made from one bank account to another bank account or through a transfer of cash at a cash office...
to the attacker or sending an SMS message and accruing a charge. - Urging the user to buy a decryption or removal tool.
More sophisticated ransomware may hybrid-encrypt the victim's plaintext with a random symmetric key and a fixed public key. The malware author is the only party that knows the needed private decryption key. The author who carries out this cryptoviral extortion attack offers to recover the symmetric key for a fee.
History
The first known ransomware was the 1989 PC Cyborg TrojanAIDS (trojan horse)
AIDS, also known as Aids Info Disk or PC Cyborg Trojan, is a trojan horse that replaces the AUTOEXEC.BAT file, which would then be used by AIDS to count the number of times the computer has booted...
, which only encrypted filenames with a weak symmetric cipher. The notion of using public key cryptography for these attacks was introduced by Young and Yung in 1996
who presented a proof-of-concept cryptovirus for the Macintosh SE/30
Macintosh SE/30
The Macintosh SE/30 is a personal computer that was designed, manufactured and sold by Apple Computer, Inc. from 1989 until 1991. It was the fastest and most expandable of the original black-and-white compact Macintosh series....
using RSA and TEA
Tiny Encryption Algorithm
In cryptography, the Tiny Encryption Algorithm is a block cipher notable for its simplicity of description and implementation, typically a few lines of code...
. Young and Yung referred to this attack as cryptoviral extortion, an overt attack that is part of a larger class of attacks in a field called cryptovirology
Cryptovirology
Cryptovirology is a field that studies how to use cryptography to design powerful malicious software. The field was born with the observation that public-key cryptography can be used to break the symmetry between what an antivirus analyst sees regarding a virus and what the virus writer sees...
. Cryptovirology encompasses both overt and covert attacks.
Examples of extortive ransomware reappeared in May 2005. By mid-2006, worms such as Gpcode, TROJ.RANSOM.A, Archiveus
Archiveus
Archiveus is a computer virus for Microsoft Windows operating systems that is used as a method of extortion.It is a Trojan horse-type ransomware virus that encrypts the user's files...
, Krotten
Krotten
The Krotten Trojan is a computer trojan/ransomware which disables almost every program in the Windows-based computer.-Symptoms:When the infected file is run, it displays a message in German. Then, the account has normal appearance, but most programs are disabled...
, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes, with ever-increasing key-sizes.
Gpcode.AG, which was detected in June 2006, encrypted with a 660-bit RSA public key. Gpcode.AK, detected in June 2008, uses a 1024-bit RSA key, which is believed to be large enough to be computationally infeasible to break without a concerted distributed
Distributed computing
Distributed computing is a field of computer science that studies distributed systems. A distributed system consists of multiple autonomous computers that communicate through a computer network. The computers interact with each other in order to achieve a common goal...
effort.
News of new GpCode-like ransomware is surfacing and it is stronger than ever before with 1024-bit encryption.
Ransomware is widely distributed in Russian Federation and other Russian-speaking countries since 2010. Several million computers in the former USSR were infected in the last two years with malware that blocked booting of the Windows operating system or disabled Internet access until the user paid a required sum of money through special SMS numbers or electronic money systems. Very often such malware---"intended for" Russian-speaking users---displays pornographic images and text about visiting porn sites (motivating prompt payment while discouraging calling the system administrator if the infected computer is located in an office).
In 2011, a trojan application appeared, proporting to represent a Microsoft utility that checks Windows licensing. It threatens legal action and data loss if a "license fee" is not paid.