Ransomware (malware)

From Wikipedia, the free encyclopedia

A cryptovirus, cryptotrojan or cryptoworm is a type of malware that encrypts the data belonging to an individual on a computer, demanding a ransom for its restoration. The term ransomware is commonly used to describe such software, although the field known as cryptovirology predates the term "ransomware".

This type of ransom attack can be accomplished by (for example) attaching a specially crafted file/program to an e-mail message and sending this to the victim. If the victim opens/executes the attachment, the program encrypts a number of files on the victim's computer. A ransom note is then left behind for the victim. The victim will be unable to open the encrypted files without the correct decryption key. Once the ransom demanded in the ransom note is paid, the cracker may (or may not) send the decryption key, enabling decryption of the "kidnapped" files.

The idea of maliciously encrypting plaintext is not new. The first example is probably the PC Cyborg Trojan that was found in 1989. It encrypted only filenames (using a very weak cipher) causing the file system to be corrupted. There have been other malware attacks that have maliciously encrypted plaintext since then. The 1996 IEEE paper by Young and Yung^[1] reviews the malware that has done this, and shows how public key cryptography may be used in such threats.

A cryptovirus, cryptotrojan, or cryptoworm is defined as malware that contains and uses the public key of its author. In cryptoviral extortion, the public key is used to hybrid encrypt the data of the victim and only the private key (which is not in the malware) can be used to recover the data. This is one of a myriad of attacks in the field known as cryptovirology.

Since May 2005 malware extortion attacks (that encrypt or delete data) have been appearing in greater numbers. Examples include Gpcode (many variants: Gpcode.ac, Gpcode.ag, etc.), TROJ.RANSOM.A., Archiveus, Krotten, Cryzip, and MayArchive. It is said that Gpcode.ag utilizes a 660-bit RSA public modulus. Crackers appear to be either rediscovering cryptoviral extortion or, perhaps more likely, reading the cryptographic literature on the subject.^[1][2][3]

[edit] References

1. ^ ^{a b} Adam Young, Moti Yung, "Cryptovirology: Extortion-Based Security Threats and Countermeasures", IEEE Symposium on Security & Privacy, pages 129-141, May 6-8, 1996.
2. ^ Adam Young, "Building a Cryptovirus Using Microsoft's Cryptographic API," Information Security Conference---ISC '05, Jianying Zhou, Javier Lopez (Eds.), LNCS 3650, pages 389-401, 2005.
3. ^ Adam Young, "Cryptoviral Extortion Using Microsoft's Crypto API: Can Crypto APIs Help the Enemy?," International Journal of Information Security, v. 5, n. 2, pages 67-76, Springer, April, 2006.

[edit] External links

• SecuriTeam article: "Ransomware" as a buzzword, and Internet-based extortion, published September 27th, 2005
• PC World article: Trojan Freezes Computer, Demands Ransom, published April 27, 2006
• Betanews article: Trojan Demands Ransom from Victims, published April 27, 2006
• BBC article: Woman targeted by web Crackers, published 31 May 2006
• Ars Technica article: New Trojans: give us $300, or the data gets it!, published July 18, 2007

v • d • e Forms of software distribution Adware · Beerware · Careware · Commercial software · Crippleware · Demoware · Donationware · Foistware · Freely redistributable software · Free software · Freeware · Nagware · Open source · Otherware · Postcardware · Propagandaware · Registerware · Retail software · Shareware