Malicious Ransomware Can Hold Computer Files Hostage
How much would you pay if someone hijacked your computer files and demanded a fee for their safe return? $100? $1,000? Malicious software named CryptoLocker is currently infecting computers via poisoned e-mail attachments that lock up the machine’s data unless the owner agrees to pay $300 within 72 hours.
Cybersecurity firms first noticed CryptoLocker in early September. Attacks have increased over the past few weeks, and yesterday they reported that a new version of the malware gives people more time to recover their files — for about $1,600 above the original asking price. Experts estimate that CryptoLocker infects around 1,000 PCs each day, mostly in North America, the U.K. and India. Until recently, the malware—also known as “ransomware”—was undetectable by most antivirus software. And short of paying the ransom, there is currently no way to reverse the damage. “It's kind of like losing your computer or smashing your hard disk or dropping your computer in the harbor. You are never going to get your data back” after your files are encrypted, says Paul Ducklin, head of technology for the Asia–Pacific region at security company Sophos.
The malware encrypts documents, PowerPoint files, images, videos, spreadsheets, Photoshop files, mp3s and other files—basically anything the average person would consider important or having sentimental value—and directs users to send money via Bitcoin or MoneyPak if they ever want to see the data again. Bitcoin accounts associated with CryptoLocker have already added up to millions of dollars, with uncounted amounts of money presumably collected through other channels. “Technically, what CryptoLocker does is not new at all,” says Fabian Wosar, a security developer at Emsisoft. “In fact, this special kind of ransomware, often called crypto-malware, has been around for literally decades. It became more prevalent in the last couple of years.”
CryptoLocker has been more successful than previous versions of ransomware, however, both in terms of the number of computers it has affected and the strength of the encryption. “It seems that the way these guys have selected their victims has sadly led to a greater level of success than we have seen before,” Ducklin says. “Is there a chink in the cryptographic armor? So far, to the best of my knowledge nobody has found one.” The only way to break the encryption would be a “brute force” attack, generating random keys until you hit the right one, he says. But because the encryption level is so high, it would take much more time and computing power than people are given before the files are destroyed.
CryptoLocker typically gains access to computers through “phishing scams” that trick people into opening an e-mail attachment that looks like a pdf file, but is actually “a Windows program in thin disguise,” Ducklin says. It also buys time on a bot or a zombie (those programs that send out spam messages) and uses it to distribute the software. Once opened, the malware installs itself onto the hard drive and tries to access the command-and-control server, which generates two keys—a public one that encrypts the files and a private one that can decrypt them, which the malware holds back until the user pays the ransom. When the encryption process is complete, a countdown clock pops up with instructions on how to pay.
The programmers responsible for CryptoLocker have hidden the command-and-control servers behind a number of proxy servers that scramble and reroute traffic so is difficult to follow, as well as several additional layers of encryption, making the malware virtually untraceable.
It is possible to block CryptoLocker from accessing the command-and control-server, and thereby prevent it from beginning the encryption process, by interrupting the network connection or changing the Windows operating system rules. More than 100 researchers from telecommunications companies, cybersecurity firms like McAfee, universities and elsewhere have formed a CryptoLocker working group to share information about the malware and develop security patches that detect it and stop it from running. Once your files have been encrypted, however, there is still no way to get them back. And whoever is behind CryptoLocker continues to develop new versions of the malware that can evade detection and avoid recent security fixes.
Backing up your files is the best way to protect yourself from CryptoLocker, security researchers say, but even that method is not foolproof. “Once it has infected a machine, it can encrypt files across your network, it can encrypt files on your flash drives, and it can even encrypt files on cloud storage,” like Google drive or Dropbox, says Nick Shaw, CEO of computer consultancy Foolish IT, who created a free tool that protects home users against the malware.
The trick is to store your backup files remotely, so that they are not connected in any way to the device at the time of infection, says Craig Schmugar, a security threat researcher at McAfee. Another way to protect yourself is by practicing safe browsing habits, like avoiding suspicious links and not opening e-mail attachments from people you don’t know. CryptoLocker e-mails generally look like customer support messages from companies or organizations such as the Better Business Bureau, FedEx or UPS.
Based on who is receiving the e-mails, Emsisoft’s Wosar thinks that the malware may be targeting small businesses whose livelihood depends on their files, but who may not have their own information technology department and have fewer restrictions on incoming e-mails as well as no attachment filters. CryptoLocker puts companies like these in a bind, and many appear to be paying the ransom against the advice of security firms. “One reason why you don't want to pay these guys is because it only encourages them to continue support for it, and to make it even nastier,” says Joshua Cannell, a malware intelligence analyst at Malwarebytes. “Because if it is making money, then obviously they are going to keep working on it and putting more time and effort into it.”
Security experts acknowledge that not paying isn’t feasible for everyone, however. “The exact same argument is made for kidnapping—never give ransom money, it just encourages them,” says Bruce Schneier, a cryptographer and fellow at the Berkman Center for Internet and Society at Harvard Law School. “And that argument makes a whole lot of sense until it is your child. When it is your data, you will pay if it is worth it.”
Considering the locations of servers that have already been linked to CryptoLocker and taken down, Wosar thinks that the perpetrators may be from Russia. “It's working not because of the computer software, but because there exists a country these people can operate in and a financial transfer mechanism that they can work with. I assure you these people don't live in the U.S., because the FBI would be on their ass pretty quickly,” Schneier says.
Schneier calls CryptoLocker infections “particularly nasty” because they go after your personal files, but he says that the malware is a low threat compared with other scary viruses and malware on the Web. And whereas the right prevention methods make avoiding CryptoLocker fairly easy, the threat probably won’t disappear anytime soon.
Until then, remember to back up.
Follow Scientific American on Twitter @SciAm and @SciamBlogs. Visit ScientificAmerican.com for the latest in science, health and technology news.
© 2013 ScientificAmerican.com. All rights reserved.
