Sneaky Blackmailing Virus That Encrypts Data

BaCa writes "Kaspersky Lab found a new variant of Gpcode which encrypts files with various extensions using an RSA encryption algorithm with a 1024-bit key. After Gpcode.ak encrypts files on the victim machine, it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor. Is this a look into the future where the majority of malware will function based on extortion?"

But were they smart, or stupid?

[pclminion]

Question is, does the encryptor rewrite the data in-place, or just encrypt to a new file then delete the original? If the latter, the data is still recoverable with a simple undelete utility.

Re:But were they smart, or stupid?

[Anonymous Coward]

... or from handy backups...

besides... do you really expect to get your data back after a hack like that? you're system is hosed, any correspondence with the malware author is only going to lead to more loss.

you got pwnd, restore from backup, call the FBI if you're a good corporate citizen and have nothing to hide. Otherwise, get a Mac.

Re:But were they smart, or stupid?

[severoon]

I would happily contact the criminal and send them $1 after working with my bank and law enforcement to set up an account trace to see where the money goes and who ends up with it.

Re:But were they smart, or stupid?

[Threni]

> I would happily contact the criminal and send them $1 after working with my bank and law enforcement to set up an account trace to see
> where the money goes and who ends up with it.

Yeah, because they'd never have thought of that.

Re:But were they smart, or stupid?

[Opportunist]

Allow me to tell you how the money trail on this works:

You are asked to send money through Western Union or some other provider that doesn't check your ID for amounts smaller than a few thousand USD. Then they send some bum to one of the thousand WD offices, somewhere on this planet, with the withdrawal code. And only once they get your money, you get your decryption key.

So, now you know where the money ends up, and why police can't do jack about it.

Re:But were they smart, or stupid?

[Duncan Blackthorne]

And only once they get your money, you get your decryption key.

"And only once they get your money, you don't get your decryption key."

There, fixed that for you. :-)

Re:But were they smart, or stupid?

[hey]

They send the decrypt code with Western Union?
As a telegram? Do they still exist?

Re:But were they smart, or stupid?

[computerman413]

No, Western Union discontinued telegrams 2 years ago [livescience.com]

Re:But were they smart, or stupid?

[commodoresloat]

STOP.

Re:But were they smart, or stupid?

[silvalen]

HAMMER TIME.

Re:

[twoshortplanks]

COLLABORATE AND LISTEN

Re:

[Jason Levine]

They could send the decrypt code via e-mail... from an account they hacked into. Or they could send it via mail. Only first it would go to an "innocent" (in that they don't know what they are doing) relayer. The relayer gets a big envelope, opens it up and takes out a smaller envelope. The relayer buys stamps for that envelope (they are promised reimbursement from the "small overseas business" they think they are working for) and sends it out. Even if you trace it to the relayer, you'll be hard pressed

Re:But were they smart, or stupid?

[RexDevious]

Wait a minute... Western Union has absolutely nothing in place to flag illegal payments? You can't fill out the form saying the money is for blackmail?

Jeez. If not - I'd fill out the form saying the payment was to help Osama Bin Laden buy some Yellow Cake Uranium-flavoured rolling papers that had pictures of Child Porn on ons side, and copy written Metallica lyrics and Vista Activation codes on the other. Surely one of our many country's many Big Brother Agency would ensure the black mailer had a quick career change.

Re:But were they smart, or stupid?

[Opportunist]

So? Do you really think the CIA cares where your money goes if it doesn't go to them? Or that they'd blow their cover just to save your 5k bucks?

Re:But were they smart, or stupid?

[Chaxid]

And when the $1 ends up in a bank in Nigeria, then what?

Oh please! We all know there aren't any REAL banks in Nigeria.

Oh please! We all know there aren't any REAL banks

[falconwolf]

in Nigeria?

There are real banks in Nigeria, owned by the ruling ethnic group, that's where the billions of dollars from oil goes. The rulers get their money while those who live where the oil comes from, the Niger Delta [realclearpolitics.com], have to fight for scraps.

Falcon

Re:Oh please! We all know there aren't any REAL ba

[Chaxid]

I'll append a sarcasm tag next time. By the way, that bit of info is insanely depressing, and kind of made me feel a bit insensitive. Mod parent up.

Re:Oh please! We all know there aren't any REAL ba

[Anne Thwacks]

owned by the ruling ethnic groupNo. owned by the shareholders, or subsidiaries of well-known internaitonal banks (British, American, etc).

Banking in Nigeria is not significantly less reputable than anywhere else.

The problem with Nigerian scams is because there are a lot Nigerians, and a significant fraction of them do not trust random people they don't know from Adam (or in some cases, members of their own family) and think that "europeans" must be a bunch of illiterate cretins if they are willing to believe things they read in random e-mails from strangers, and hence deserve to be scammed.

The main factor in Nigerian fraud, is that part of the Nigerian population that believe that God created cretins so they could be scammed. Not a very christian beliefe:

Yes its true, Christianity would stop Nigerian scams - send more missionaries :-)

Yes, I have been to Nigeria.

Re:

[scribblej]

The main factor in Nigerian fraud, is that part of the Nigerian population that believe that God created cretins so they could be scammed. Not a very christian beliefe:
  Yes its true, Christianity would stop Nigerian scams - send more missionaries


I can't help but notice that if you are correct, what might help them even more is not believing in silly propositions like "God" and "Christianity."

Re:But were they smart, or stupid?

[Anonymous Coward]

anyone with half a brain will not give out their bank account details when blackmailing someone.

I beg to differ. Prince Omadeke has been very forthcoming with all the bank details, officially signed documents, and necessary guarantees to ensure our secret transaction is carried out according to all successful modalities.

Re:But were they smart, or stupid?

[falconwolf]

you got pwnd, restore from backup, call the FBI if you're a good corporate citizen and have nothing to hide. Otherwise, get a Mac.

Getting a Mac will help for a while, but as more people switch to Macs malcontents will target OS X. And while it's more secure it's not totally secure, nothing is.

Falcon

Oh, and I'm not an MS fanbous, my desktop PC's OS is Linux and the laptop I'm typing this on is a MacBook Pro.

Re:But were they smart, or stupid?

[secolactico]

Or get GNU/Linux.

He did say "good corporate citizen", so if you are not paying for it, you obviously have something to hide and should be reported.

Damn commie scum.

Re:But were they smart, or stupid?

[Niten]

He did say "good corporate citizen", so if you are not paying for it, you obviously have something to hide and should be reported.

You may think this is just a joke, but when my second college roommate saw me using an unfamiliar operating system, he naturally started asking me about it. "What's it called?" "Red Hat Linux." "How much does it cost?" "Nothing, it's free." He freaked out: "Oh my God, how can that be legal? That could cost Microsoft so much in lost profits! That should really be illegal..."

The worst part? He was a business major, an honest-to-goodness PHB in training...

Re:But were they smart, or stupid?

[mrchaotica]

I hope you promptly yelled "WHAT THE FUCK IS WRONG WITH YOU?!" and slapped some sense into him.

Re:

[Anonymous Coward]

Call me silly, but I "paid" for my copy of Linux. Instead of a licensing fee, I paid some in donations to various projects of utilities I use daily, from Firefox, to OpenOffice, to TrueCrypt, etc.

Re:

[kalirion]

Call me silly, but I "paid" for my copy of Linux. Instead of a licensing fee, I paid some in donations to various projects of utilities I use daily, from Firefox, to OpenOffice, to TrueCrypt, etc.

And do you also express your appreciation of Wikipedia by donating to the EFF?

Re:

[Per Wigren]

And do you also express your appreciation of Wikipedia by donating to the EFF?

I really hate that attitude of yours. The guy is more generous than 99% of the population and your only comment is "Why aren't you MORE generous?". Give the dude some credit instead.

Re:But were they smart, or stupid?

[the_womble]

Every time I go to a supermarket they seem to be handing out free samples of something. Does he think that should be illegal? If he has taken an economics course and managed to understand it (although that sounds unlikely), you could have pointed out that the marginal cost of production of a downloaded copy of Linux is much less than that of a free sample of any physical product. I wonder if he thinks that free websites and web services should be illegal as well? Should Internet Explorer be banned because it lost Netscape a lot of money? Did you ever mange to explain to him that there is actually a sound business model behind Red Hat?

Re:But were they smart, or stupid?

[NewbieProgrammerMan]

That particular brand of Kool-Aid is served in a lot more places than Redmond...

Corporate Linux users generally *do* pay

[CustomDesigned]

The self-support model that is required for a zero-price Linux distro is often not acceptable in a corporate environment (unless they have internal IT that can provide the support). Which is why Red Hat Linux (and Suse and Oracle) continue to sell despite the existence of Centos. The best part is - while the price is non-zero (and generally too hefty for home use), the freedom is still included.

Re:

[mlts]

The main reason for this is that it requires cash on the barrelhead for security certifications like FIPS, Common Criteria, etc.

RedHat and Novell have anted up to the table and can offer Linux desktops and servers in an industry that pretty much was Windows only, other than maybe a Solaris or AIX box here and there. Part of what people pay for when purchasing commercial support for RHCE or SUSE is the cost of this.

OBMac: MacOS 10 too has recently gotten FIPS certified, so that is another UNIX that is usab

Re:

[stokessd]

Slow down junior...

OS X is reasonably secure, but so is Linux. And while harder, Windows can also be made that way. Just because your Mac hasn't been pwned yet doesn't mean that it won't. The only secure OS is one that doesn't do anything.

Macs are actually 24 years old, and there were Mac OS viruses out there. The hardware features of automagically reading a floppy inserted into the drive made the spread of those viruses much more easy.

Sheldon

Re:

[moderatorrater]

Even if it's not, how are the criminals supposed to get their money? Worst case scenario, if this becomes widespread, people will start doing backups more often. The question at the end of the summary, like all slashdot questions, is dumb and doesn't promote discussion at all.

Re:But were they smart, or stupid?

[Darkness404]

how are the criminals supposed to get their money?

Fear, and adware. For example, if this virus becomes really widespread, the malware author could create a rouge anti-virus program that promises to get rid of it, and might even get rid of it, the downside is, it infects the host machine with adware giving the author $$$. Otherwise he can simply modify the script to not only encrypt it but add some adware into there. If you have root, there isn't much you can't do.

Re:But were they smart, or stupid?

[Cajun Hell]

if this virus becomes really widespread, the malware author could create a rouge anti-virus program

But a crimson anti-virus program can detect a rouge one.

Re:

[lastchance_000]

Where'd you find that joke? Surely you can't makeup humor like that on your own.

Re:

[nine-times]

Does it matter? I have backups.

Really, this doesn't scare me very much. Can these people stop making money on spam, please, and let them try their hand at blackmail? Because it's fine-- a lot of people won't pay, and others will get the FBI to trace the money to the criminals behind it. They'll probably get caught, but either way they won't get me. Like any sane person, I have a firewall, don't open random attachments, and keep backups.

Re:But were they smart, or stupid?

[Anonymous Coward]

Does it matter? I have backups.

And how often do you roll through your backups? Will you notice the encrypted files in time, or will you end up backing up the worthless files instead?

I have plenty of important files which I don't look at very often. It might take months before I realize they are corrupted -- and by that time, I've overwritten the last valid backup with the encrypted stuff.

Re:But were they smart, or stupid?

[Tenebrousedge]

Then we should paste a caption on you that says "Backups: Your doin it wrong."

Re:But were they smart, or stupid?

[Crazy Taco]

Unless you have space for infinite backups, his method is write. At some point, you'll run out of space and have to delete old backups to make room for the new ones.

Re:But were they smart, or stupid?

[SanityInAnarchy]

Given properly rolling backups, you don't just keep dailies for the past month. You keep dailies for a week, and weeklies for a month, and monthlies for however long you have space for.

And given that most people work in files which are essentially text or the moral equivalent (Word docs, etc), it's likely that you do, in fact, have enough space for a very, very large number of backups.

Re:But were they smart, or stupid?

[SanityInAnarchy]

In MSFT's and even OS X time machine the default settings are to backup everything, the OS, applications etc.

News flash: There are more than two backup programs in the universe.

for a home users that is just stupid.

When was the last time you saw a home user reinstall an entire OS? How many home users still have all the application CDs needed?

For that matter, these are also things which don't change a lot. They shouldn't take up too much space in the backup, if you're using even a halfway-intelligent backup program -- both of the ones you mentioned at least do hardlinks.

The real danger here would be if the program actually corrupted the entire backup repository. For that to happen, it would have to know when your backup hard drive was plugged in -- and there are other ways of avoiding this, such as running backups over a network to a server with limited access.

Re:Vista

[SanityInAnarchy]

The problem is that a fresh install of Vista (Like most of the home users get with their recently bought PCs) is around 16GiB all by it self. A complete installed system (OS + Applications, etc...) is going to weight at least a couple of dozens GB.

So what? Storage isn't that expensive [newegg.com] -- and the smallest one there is 60 gigs, which should easily be able to hold it.

If the person doing the backup has a couple of TB storage (like I think, most of the /.ers)

I see -- you didn't read it. That or you really didn't do the math.

Most people aren't going to have more than a hundred gigs or so of storage in their computer in the first place. Given a halfway-decent backup system -- one which uses hardlinks, as I mentioned before -- and yes, the OS might take half of the backup drive. It will not, however, need an additional half every incremental backup -- only every time the OS changes.

As most people aren't causing terabytes worth of change, it should be no problem to have many backups (as in, every day for the past few months) on a single, dirt-cheap external hard drive.

Re:

[bonehead]

Well, if you want to spend the money for complete OS backups that will only come in handy every couple of years, by all means, go for it.

Both at home and at work, I have better things to spend my hardware budget on than insuring that restoring a PC 2 years down the road will be slightly more convenient. Besides, the vast majority of Windows reinstalls that I do are a result of spyware infestations, not hardware failures. In that situation, I'm still reinstalling the OS regardless of how complete a backup

Re:But were they smart, or stupid?

[kesuki]

"And how often do you roll through your backups? "

try 'never i use 1 time recordable optical media'

i realize some people use 'rewritable' media for backups, and have this 'roll over' issue, but the only part of my backup that does rollover is the redundant external HDD for 'critical' data that i don't trust entirely to a DVD media, even is i only buy grade 1 media...

I don't have a small data set either, I have over 1 TB of stuff on optical discs, but surprisingly only about 30 gigs that is important enough to go to a redundant hdd.

Re:

[Carnildo]

And how often do you roll through your backups? Will you notice the encrypted files in time, or will you end up backing up the worthless files instead?

I don't know about most people, but my backups bear a strong resemblance to a versioned filesystem: it doesn't matter if the encrypted files wind up on the backup, because I can always roll back to a version before they were encrypted.

Re:But were they smart, or stupid?

[Cajun Hell]

It displays a message when it does it, presumably so that the virus-runner will know that they need to pay someone to decrypt their file. That makes it pretty un-scary: it tells you when to restore. Of course, since your machine is compromised, maybe the "restore" really just overwrites your tape.

It might take months before I realize they are corrupted

In which case the virus writer never gets payed, since his yahoo email account is probably long disabled by then.

There's no point in delaying extortion. The kind of people who decide to run malware, are the same kind of people who don't have any backups, so they're ready to collect from, immediately.

Re:But were they smart, or stupid?

[LurkerXXX]

An important part of the backup process is to occasionally test the backups to make sure that they can be restored properly. corrupted backups suck, but do happen. I test my personal ones pretty regularly. I test my work ones on a set schedule. You should too.

Re:

[mlts]

This is an excellent idea. I know Retrospect allows for one to test not just the whole backup set, but whatever is new on the set to detect bad data on recent info.

Backups require a chain of items to work correctly come restore time. You have to have something to read the backup media if its stored on CDs, DVDs, or tapes. You have to have the correct software and version of software. You also have to be able to get a dead machine in some state to be able to be restored, either by booting an OS or BartPE

Reminds me of...

[vivin]

...the Casino Virus [youtube.com]. Perhaps because of the similar concept of "holding data hostage".

The virus takes your FAT and stores it in RAM. Then lets you play a slot-machine game. If you win, you get your data back. If you lose, you lose your data. Some other combination of characters (in the slot machine) gives you the virus-writer's phone number.

Re:Reminds me of...

[SL Baur]

The virus takes your FAT and stores it in RAM.

Awesome! Sounds like a weight loss system that could really work.

But for how long.

[www.sorehands.com]

I thought of a virus along this line, but slightly different. What it would do is encrypt the data, decrypt on the fly until it is time to demand payment. All backups would have been encrypted too, if you have the correct hooks into the OS. I never tried it, since the dark side has a strong pull.

Re:But were they smart, or stupid?

[DigitAl56K]

If the latter, the data is still recoverable with a simple undelete utility.

No it isn't.

Okay, it might be. Imagine it repeating the process on many files, each time a new file is written it may fill the space of the last deleted one. This also depends on the file system, OS strategy, file sizes, etc.

Using an undelete utility means you risk recovering many corrupt files. That may be better than nothing or sending money to a malware author, which as much as I hate to say it may legitimately be classed as "funding terrorism".

Anti-Malware Response

[frosty_tsm]

I wonder if there will be tools / services that would be able to hammer at (or otherwise crack) the 1024-bit encryption and find the key.

Does anyone know how bad this might be from a computational-power standpoint?

Re:Anti-Malware Response

[pclminion]

Uh, if 1024-bit RSA was broken, the world of encryption security would collapse (at least for the short term). Could it happen? Sure, it's possible. Will it happen in time to save your pr0n collection? Highly unlikely.

For one thing, compromise of RSA encryption would render SSL useless.

Re:Anti-Malware Response

[AmiMoJo]

The last version was eventually "cracked", because the virus used the same key for all the encrypted files so once someone paid up they could distribute the key.

1024-bit RSA is NOT considered secure anymore

[this great guy]

As it was pointed out by another poster, no 1024-bit RSA is not sufficiently strong. Recent papers have demonstrated that factoring a 1024-bit key is now within practical reach. See for example this PhD dissertation from a student whose advisor was Shamir (the S in RSA FYI), which estimates that cracking a 1024-bit key would cost a few million US dollars [mit.edu].

Sure, at this point only a small number of organizations have a few million dollars to spare on cracking RSA, but this is beyond the point. The flaw is sufficiently serious that security standards are now recommending 2048-bit RSA keys minimum.

What I am talking about are relatively recent developments, it is not very well-known that 2048-bit is the minimum recommended length. This is why 1024-bit keys are still wildly used everywhere. My bank (www.wellsfargo.com) uses a 1024-bit key...

Re:1024-bit RSA is NOT considered secure anymore

[this great guy]

Damn. 2000 bits of binary... Every single bit added to a binary key does exponential increases to the resulting protection.

This is a common mistake that non-cryptographers make. The above is true only for symmetric algorihtms. For asymmetric ones, like RSA, this is false. A 2001-bit RSA key is not twice harder to crack than a 2000-bit key. This is why for example the NIST recommendations list different key lengths depending on the type of crypto (sym vs. asym). For introductory-level material I suggest Cryptographic key length [wikipedia.org].

Re:Anti-Malware Response

[kesuki]

Fortunately, brute force attacks aren't necessary. If one can read the memory space used by the 'decryptor' one can find the key in seconds.

this is why movie content will 'never' be immune to cracking. in the case of this virus, the decryptor is sent to you over the internet, if you pay the money, but having a good backup scheme also defeats the need to brute force. having a good security setup, should negate even the need for backups to prevent infection in the first place.

so always have a competent hardened firewall device like smoothwall express, never download attachments (webmail helps a lot in this arena, along with a secure browser, and a phishing aware user/browser add-on) avoid windows like the plague, but if you must run windows make sure it can only get access to the actual ports of the programs you actually use on it. and never run as administrator, unless you really genuinely need to do something that can't be done as a normal user.

trusting a 'commercial' 'hardware' router to protect a windows machine is insane, even if you've replaced the firmware with some variant of linux, it's Still Not hardened like smoothwall...

fine if you have all linux/bsd machines, but windows has as much security as the emperor had new clothes, even with a $$$ security suite. sad but true, only 0% of tested windows security software could stop 50/50 2006/2007 known rootkit/malware post install... the best was i think being able to remove 7/50 and 13/50, if it had actually gotten installed. specialized tools were also tested, not just suites.

the point being, if you must run windows remember that a piece of paper stands more chance of surviving a nuclear blast at point blank than windows has of being de-rooted without a format.

   

Re:

[Mr Z]

Oops, I see you said "decryptor." Of course, if you have that, then you've unlocked this key. But, how many keys does the virus have on its keyring and how quickly does it acquire more? It's not like it's a DVD, fixed in a medium or a CSS descrambler ASIC in a $20 DVD player.

Re:

[mapsjanhere]

I think the big question is - does the virus carry it's own key around, or does it "phone home" to get a specific key for the infected machine?
In the first key someone will most likely find the key in the virus code, in the second case it's BAD. Sure the NSA can break a 1024 RSA key if they have to, but I haven't heard of a "simple" commercial tool to do it.

Re:

[Loether]

Sure the NSA can break a 1024 RSA key if they have to

Do you have a citation for that?

I don't see why the laws governing the ability to break such a key would change for the NSA. A 1024 bit key is MUCH more than twice as hard to crack as a 660 bit key. Maybe someone can help me with the math? something like 2^(1024 - 660) times harder to crack?

Re:

[Darkness404]

You forget though, the NSA has a large budget and access to super computers. What might take us years to crack may only take months or less for a few huge clusters of computers or some super computers to break. Plus, as everything the NSA does is "a matter of national security" they can request a super computer to do that.

Lookup Tables

[camperdave]

But there are shortcuts to factorization. ie, if a long number ends in 0 or 5, it is divisible by 5. If the digits add up to 9, it is divisible by 9, etc. There may be similar but far more obscure shortcuts for larger primes.

Now, I am not a cryptanalyst or mathematician, and I'm not clear on how RSA works, so bear with me. Suppose I were to generate a list of prime numbers. This only has to be done once. Now suppose I take each prime and multiply it by every other prime on the list. Now if ther

Re:

[Actually, I do RTFA]

I wonder if there will be tools / services that would be able to hammer at (or otherwise crack) the 1024-bit encryption and find the key.

Wouldn't one person be able to pay of the extortion, and then give out the key to everyone else?

Re:

[Goaway]

Does anyone know how bad this might be from a computational-power standpoint?

Not happening.

Re:

[afidel]

I assume they use the machine name as a salt for the encryption and so the decryptor takes that into account =)

Re:

[somersault]

or.. time of day, mac address, any number of other things.. how much faster would a brute force attack be even knowing what they used as salt? Probably not significantly different (ie I'm guessing it would still be more than your lifespan with current tech)

LET'S HOPE SO

[blair1q]

Seriously. In order for extortion to work, money has to change hands. Money can be traced, easily (don't believe what they say about Western Union). This is a great way to track down and capture the people who are spreading the virus. And the people whose files are encrypted could as easily have seen those files deleted, or worse. So it's no difference to them, except that they now have a hand in putting a crook behind bars.

The virus tossers are actually making their situation worse by turning to extortion. But they weren't all that bright to start with.

Re:LET'S HOPE SO

[frosty_tsm]

What happens when the virus writer is in another country? What if that country doesn't care?

Re:

[Osurak]

Nah, the scammers will just route it through some mule, like they do with the stuff they buy through credit card fraud.

Is this the future?

[Anonymous Coward]

Is this a look into the future where the majority of malware will function based on extortion?

I don't know! Stop asking me those questions all the time. Is it obligatory to end every blurb with a question, or what?

Re:

[DriedClexler]

Goddamnit, who keeps sending self-aware chatbots to access Slashdot?

They think they're pretty clever.

[Anonymous Coward]

The fundamental problems with hairbrained schemes like these is that the money has to change hands somehow, and there's a fundamental trust issue. First, if money gets transferred to you then you are susceptible to being caught.

The trust issue is that there is fundamentally no reason for the person receiving the money to follow through and send you the private keys to decrypt the data. If it was a known person, they'd be arrested, and since they're unknown there is no "reputational" factor that would make people more likely to pay based on the experience of others.

Just another moron criminal scheme from some douchebag who thinks he's found a get rich scheme. Just like other "genius" criminals, the fact is that the professionals in the field are smarter than the criminals.

This has been done before

[mrbill1234]

This same thing happened in the late 80's (or maybe early 90's). Some hackers mailed a 5.25 inch floppy with some "free" software on it to thousands of people around the world. When you installed the software, it would hijack your PC and encrypt various files and you had to pay a ransom to get it back. There was a EULA and everything with the disk (which of course nobody read) which made it clear what would happen if you installed the disk. Perhaps someone can remember what it was called.

Re:This has been done before

[mrbill1234]

Ok, I googled it:

The Aids information disk:

http://www.jahewi.nl/malware/ransomware/ransomware.html [jahewi.nl]

Re:This has been done before

[Daimanta]

MS-DOS 6.22

Re:This has been done before

[gad_zuki!]

This was done recently, perhaps two or three years ago. I believe it encrypted everything in My Documents and asked for payment to unencrypt it. Turns out they used the same key every time. Article from 2006 here.

http://news.bbc.co.uk/2/hi/technology/5038330.stm [bbc.co.uk]

The magic key is:

mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw

Re:This has been done before

[Ethanol-fueled]

Do people still keep stuff in "My documents?". Ya'd think that after all of the very public worms, viruses, malware, and phoning-home that people would learn to make their own "My Stuff" folder(if not regularly back up and/or encrypt their important data).

Re:This has been done before

[ColdWetDog]

Perhaps someone can remember what it was called.

America On Line?

I glad

[notthepainter]

At least know the owners of bot controlled machines will have a clue that their machines are bot controlled. And maybe we'll see fewer bot controlled machines.

One can only hope.

Only an idiot doesn't backup.

[pclminion]

If you back up regularly (and if you don't, what the hell are you thinking -- hard drives last forever?) then this is a non-issue. Yawn.

Re:

[Janek Kozicki]

huh? HDDs don't last forever, you can't argue with that.

What "modern file systems" are you talking about? Bundling rollback inside a filesystem is one of the stupidest things that could be done to fs. How many inodes would that eat up after a year, especially since some temporary files change hundreds times per day? Version control software and/or backups are designed for this purpose - and are filesystem agnostic (work with whatever fs suits your needs).

Personally I like the idea of such a virus, it could

Re:

[SanityInAnarchy]

Bundling rollback inside a filesystem is one of the stupidest things that could be done to fs.

Ok, you're right that the GP is stupid -- no filesystem a desktop user runs will have that transparent rollback. The closest might be "volume shadow copy", but I think that has to be done explicitly for every change you want to record.

But seriously, have you looked at FUSE lately? There's a filesystem for everything... And, historically, there are log-structured filesystems, which can, indeed, roll back any change that hasn't already been overwritten. That approach has nothing to do with inodes -- in fact,

All your dataz

[Anonymous Coward]

Joe User: Someone set us up the encryption. We get no data. Readme file turn on.
Jack Hacker: How are you gentlemen? All your data are belong to us.

Gonna be ok

[Joebert]

I'm not going to worry about this.
I'm sure the fine folks of our Government are watching everything that happens on my computer & will promptly decrypt my files for me using their built-in back doors.

I got infected by this virus

[Anonymous Coward]

My computer was infected by this virus... luckily all my files were already encrypted so all it did was make plain-text versions of everything and leave me a file asking for a donation

I know who is behind this scam....

[zappepcs]

Maybe it will not surprise you to know that Geek Squad is behind this scam. They will never try to collect extortion money as their real target revenue is the 65 dollar check-up fee they will get when consumers bring their computers in to find out what has gone wrong. Of course, the fee is higher if you don't have extended warranty, or if you installed your own antivirus software.

Of course I could be wrong.... but it's a thought

Bravo

[iamacat]

Viruses up to date have been using conventional encryption, with the obvious problem that the key is found in the virus. If only general population improves their computer literacy in proportion to malware writers, headlines such as this one will become the thing of the past.

I am however disappointed that the author used only 1024 bit key length, which is no longer recognized as unconditionally secure. Hopefully he or she at least generated a secure random seed for the key pair.

Cryptovirus

[kvezach]

This sounds like a straightforward implementation of cryptoviral extortion [cryptovirology.com]. Hopefully, the authors made some stupid mistake (like using the same key everywhere, or encrypting the data directly instead of doing it indirectly through a symmetric crypto key).

Still, the basic strategy remains viable, so the best opposing strategy would be to harden systems. Unix permissions won't help you here, since you usually have rights to write or alter permissions to stuff in your home directory. Backups would work (bu

Yeah, sure, *that'll* work..

[Duncan Blackthorne]

*ransom note received composed of random letters clipped from newspaper*

"We have encrypted your illegally copied music files. Put $5000 in unmarked bills in a plain brown paper sack and mail it to: RIAA Washington, D.C. no later than midnight tonight or you'll never listen to your music again"

..but seriously, folks, this starts to sound like some sort of wierd 419 scam. They're not going to decypt your files even if you pay them, and I'll bet you a whole DOLLAR that if you're stupid enough to contact them, they accept only CREDIT CARDS as payment. Chances are that the data isn't even really encrypted, it's just plain overwritten and GONE, copied over with gobbledegook random data, and you'll just get your identity stolen on top of never getting your files back. On the other hand they think they're being really clever, I'm sure, and the ones that think they're clever are usually the ones that get caught quickly and go to jail for a long, long time.

Can't wait for the criminal trials...

[argent]

Oh, this is going to be rich. These guys have read too much William Gibson. Unless the whole thing is a Joe-job trying to get some innocent (ish) third party in trouble, these folks are going to find it pretty damn hard to collect any money without being traced, and this is more than commonly illegal.

If they have a bagged copy of the virus

[earthforce_1]

They can reverse engineer it, find out how it generates the encryption keys and reverse the algorithm - and crank out a utility that does it automatically. (Assuming it doesn't just write randomized data into the _CRYPT file and sucker you into sending them $ in hope of recovering what you lost, but at least then they would know the file is unrecoverable)

Major weak link--Yahoo.com e-mail address...

[BUL2294]

If you look at the screen prints from the article, the stupid author decided to use a "@yahoo.com" e-mail address. Call me crazy but Yahoo is probably already monitoring that e-mail box after the AV vendors let them know--long before any $$$ changes hands.

Unfortunately, 2 years from now, some poor soul will get bit by this... By then the Yahoo e-mail address will be long-dead, and the key might still be known only to the author...

data ransom != blackmail

[Deanalator]

This is data ransom, not blackmail.

Actually it's called Ransomware

[ewhenn]

http://en.wikipedia.org/wiki/Ransomware_(malware) [wikipedia.org]

The crypting your files and extort has been around since 1989 http://en.wikipedia.org/wiki/PC_Cyborg_Trojan [wikipedia.org]

No, the future is either...

[istartedi]

...easy-to-use backups, and/or the government tracking down the payments and busting the guy who receives it.

Of course, if you are just backing up to the hard drive, the virus will make sure to trash your backups. Better back up to a non re-writeable CD. Most people's unique data isn't that large. If it is, you should be doing nightly offsite backups anyway.

old news - see Onehalf

[hany]

Anyone heard about Onehalf [wikipedia.org]? We're talking something like 1992-94 IIRC. :)

If my memory serves me right even further, the virus is from Kosice, Slovakia. It spread quite quickly (even though there was essentialy no Internet at that time in Slovakia) but later on, I believe ESET [eset.com] produced a utility to detect it and clean it up. Nice thing was, that it did not need to boot from clean boot floppy in order to do the clean-up (which was quite unussual at that time).

Funny thing then was, that few month later, as we though that Onehalf is - thanks to that utility - dead and old news, story came from USA that Onehalf reached there and that after a lot of trouble Norton was able to detect it. But not clean it. What a joke. If we've had email, we would happily mass-mail that ESET's anti-Onehalf utility to every one.

Maybe further info: ESET's One Half entry [www.eset.eu].

Re:

[rickb928]

This will probably be seen as flamebait, but using Linux makes you no more or less susceptible to data loss. Only the time and expense of recovery differs.

And not as much as it would seem.

ps - this is why I have three copies of everything important to me and my wife, in two different locations, rarely more than 2 days out. She doesn't question me about this for a few weeks after she askes "Honey, I can't find........". She still doesn't understand about 12 years of email archives... Go figure.

Re:

[cbhacking]

I was waiting for somebody to mention this. Shadow copies, also known as Previous Versions, is a great way to undo this kind of thing (at least long enough to take a backup before reformatting, unless you're 100% sure you can purge all the malware). It's worth mentioning that they are also on Windows Server 2003/2008.

So, the answer is yes, but only for a limited time. The number of shadow copies that can be kept is determined by the "free" space on the drive. On the other hand, there's usually at least seve