The Reversible Denial-of-Resource CryptoViral Extortion Attack

Ransomware, although somewhat appropriately nicknamed, as it takes your data hostage demanding money for its release, has always implied an unnecessary emotional component.  It is unforgivably insensitive to compare this to any type of real world ransom regarding human life.  Furthermore, there are no "proof of life" concepts, such as sending back a "pinky" of data or letting you briefly see that your data is being safely kept in a Linux environment.

These psychological discrepancies require an understanding of the true definition for this type of cyber crime: a reversible denial-of-resource cryptoviral extortion attack.  As insidious as it sounds, it is just the technical terminology of what is commonly referred to as ransomware.  Perhaps a semantic dissection will provide some clarification and comprehension.

Denial of service attacks, if successful, result in the failure to provide a service, such as a serving up a webpage in response to a user's http request.  A denial-of-resource attack prevents access to a resource, such as a specific document or file.  Traditionally one targets valued resources and obstructs its availability to the user.  Typically, this involves removing a user's ability to read, write, and copy the most valued and sensitive files on their machine.  However, if true to their word, this process is reversible, with full access returned upon meeting the payment demands of the hacker.

This oppressive attack is clearly an instance of financial extortion.  Frequently, this occurs in the real world by demanding payment to prevent the release of damaging information, although in this case the extortionist requires payment in order to allow the release of captive data.

The remaining part requiring explanation is the most interesting aspect of this attack (not so interesting if you're the victim) -- its use of cryptovirology.  Combining cryptography with virology is a classic example of the whole being greater than the sum of its parts.  This has been employed by malware to enhance obfuscation and prevent reverse engineering.

Viral propagation continues to be a pervasive and effective means of malware dissemination.  Despite security advances in protective mechanisms and defensive measures, viral threats remain problematic due to evolving sophistication in their methods of AV evasion.  Utilizing mutation engines, polymorphic and metamorphic malware have demonstrated the ability to frequently avoiding detection by creating self-altering and reorganizing encrypted code.

The incorporation of encryption into this type of extortion attack amplifies its malicious intensity.  The technology designed to secure and protect sensitive information, encryption, can be equally damaging in the absence of its intended use.  This concept can be easily understood with the example of door locks used in the real world.   If a room contains valuable property, the first step towards security is to install a door which provides visual privacy to the casual passersby. The next step towards effective security, to keep other individuals from accessing the room, would be the installation of a door lock.  However, if this step is ignored, then it is possible that someone else could place their own lock on the door, thus restricting access from the legitimate owner. This principal holds true for encryption and is enhanced by its significant underutilization. In this attack scenario, the valued data essentially becomes locked inside of a mathematical vault, which cannot be opened, despite residing on the user's pc.  The alphanumeric key required to open the vault-- decrypting the data-- becomes a valuable item possessed by the extortionist.

The media coverage related to the recent occurrence of this attack stems from its cryptographic strength, not its novelty.  While a theoretical discussion of cryptoviral extortion attacks was presented at the 1996 IEEE Symposium on Security & Privacy, it wasn't until 2004 did one actually occur.  The Trojan.Pgpcoder was one of the first public instances affecting end users.  Fortunately its weak custom encryption scheme allowed it to be easily reverse engineered.  Soon to follow was the Cryzip Trojan, which used a password protected zip encryption which could be brute forced.  In mid-2006, the Archiveus-A Trojan emerged, which oddly requested the purchase of pharmaceuticals from a Russian website, as opposed to direct monetary demands for file decryption. Following file concatenation and consolidation, access attempts generated a dialog box requesting a complex 30 character password.   Although the Archiveus Trojan's reverse engineering was facilitated by the fact that it kept the password stored in the binary as plain text.

Following the historic trend of blackmailing viruses, the Gpcode Trojan first appeared in 2004, rapidly evolved in 2005 and then went dormant after apparently topping out in 2006.  First targeting businesses, the number of victims grew with the code's developing sophistication and potency.  In January of 2006, Gpcode.ac had adopted use of the secure RSA public encryption algorithm.  After the author's initial RSA implementation led to failure from using a 56 bit key, its complexity quickly matured.  In 2006, during a six month period, Gpcode variants appeared with escalating key lengths.

Gpcode.ad      67-bit RSA key

Gpcode.ae      260-bit RSA key

Gpcode.af      330-bit RSA key

Gpcode.ag      660-bit RSA key

Two years later, we find ourselves facing Gpcode.ak using 1024-bit RSA encryption.  There have been varying estimations concerning the raw computing power and mathematical cycling efficiency needed to crack encryption of this strength.  However, regardless of the source, it is agreed that this task would be one of significant difficulty.

The end result of this situation is a real security concern. Presently, the security community's best inoculative efforts have been requests for collaborative help and attempts at file restoration using photo recovery software.  This is disturbing at best.

Perhaps we should disband distributed computing projects (goodbye SETI) and cease supercomputing chess matches (that's right Deep Blue, Deep Thought, and Hydra) and dedicate these resources to cryptographic file recovery.

To everyone affected by this devastating attack, I leave you with two words--backup drive.

My blog can be held for ransom at: greyhat@computer.org

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey: The results are in