Sneaky Blackmailing Virus That Encrypts Data

BaCa writes "Kaspersky Lab found a new variant of Gpcode which encrypts files with various extensions using an RSA encryption algorithm with a 1024-bit key. After Gpcode.ak encrypts files on the victim machine, it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor. Is this a look into the future where the majority of malware will function based on extortion?"

But were they smart, or stupid?

Question is, does the encryptor rewrite the data in-place, or just encrypt to a new file then delete the original? If the latter, the data is still recoverable with a simple undelete utility.

Re:But were they smart, or stupid?

Does it matter? I have backups.

And how often do you roll through your backups? Will you notice the encrypted files in time, or will you end up backing up the worthless files instead?

I have plenty of important files which I don't look at very often. It might take months before I realize they are corrupted -- and by that time, I've overwritten the last valid backup with the encrypted stuff.

Re:But were they smart, or stupid?

"And how often do you roll through your backups? "

try 'never i use 1 time recordable optical media'

i realize some people use 'rewritable' media for backups, and have this 'roll over' issue, but the only part of my backup that does rollover is the redundant external HDD for 'critical' data that i don't trust entirely to a DVD media, even is i only buy grade 1 media...

I don't have a small data set either, I have over 1 TB of stuff on optical discs, but surprisingly only about 30 gigs that is important enough to go to a redundant hdd.

Re:But were they smart, or stupid?

Given properly rolling backups, you don't just keep dailies for the past month. You keep dailies for a week, and weeklies for a month, and monthlies for however long you have space for.

And given that most people work in files which are essentially text or the moral equivalent (Word docs, etc), it's likely that you do, in fact, have enough space for a very, very large number of backups.

Re:But were they smart, or stupid?

how are the criminals supposed to get their money?

Fear, and adware. For example, if this virus becomes really widespread, the malware author could create a rouge anti-virus program that promises to get rid of it, and might even get rid of it, the downside is, it infects the host machine with adware giving the author $$$. Otherwise he can simply modify the script to not only encrypt it but add some adware into there. If you have root, there isn't much you can't do.

Re:But were they smart, or stupid?

if this virus becomes really widespread, the malware author could create a rouge anti-virus program

But a crimson anti-virus program can detect a rouge one.

Re:But were they smart, or stupid?

I would happily contact the criminal and send them $1 after working with my bank and law enforcement to set up an account trace to see where the money goes and who ends up with it.

Re:But were they smart, or stupid?

Or get GNU/Linux.

He did say "good corporate citizen", so if you are not paying for it, you obviously have something to hide and should be reported.

Damn commie scum.

LET'S HOPE SO

Seriously. In order for extortion to work, money has to change hands. Money can be traced, easily (don't believe what they say about Western Union). This is a great way to track down and capture the people who are spreading the virus. And the people whose files are encrypted could as easily have seen those files deleted, or worse. So it's no difference to them, except that they now have a hand in putting a crook behind bars.

The virus tossers are actually making their situation worse by turning to extortion. But they weren't all that bright to start with.

Re:LET'S HOPE SO

What happens when the virus writer is in another country? What if that country doesn't care?

Is this the future?

Is this a look into the future where the majority of malware will function based on extortion?

I don't know! Stop asking me those questions all the time. Is it obligatory to end every blurb with a question, or what?

They think they're pretty clever.

The fundamental problems with hairbrained schemes like these is that the money has to change hands somehow, and there's a fundamental trust issue. First, if money gets transferred to you then you are susceptible to being caught.

The trust issue is that there is fundamentally no reason for the person receiving the money to follow through and send you the private keys to decrypt the data. If it was a known person, they'd be arrested, and since they're unknown there is no "reputational" factor that would make people more likely to pay based on the experience of others.

Just another moron criminal scheme from some douchebag who thinks he's found a get rich scheme. Just like other "genius" criminals, the fact is that the professionals in the field are smarter than the criminals.

This has been done before

This same thing happened in the late 80's (or maybe early 90's). Some hackers mailed a 5.25 inch floppy with some "free" software on it to thousands of people around the world. When you installed the software, it would hijack your PC and encrypt various files and you had to pay a ransom to get it back. There was a EULA and everything with the disk (which of course nobody read) which made it clear what would happen if you installed the disk. Perhaps someone can remember what it was called.

Re:This has been done before

Ok, I googled it:

The Aids information disk:

http://www.jahewi.nl/malware/ransomware/ransomware.html [jahewi.nl]

Re:This has been done before

MS-DOS 6.22

Re:This has been done before

This was done recently, perhaps two or three years ago. I believe it encrypted everything in My Documents and asked for payment to unencrypt it. Turns out they used the same key every time. Article from 2006 here.

http://news.bbc.co.uk/2/hi/technology/5038330.stm [bbc.co.uk]

The magic key is:

mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw

Re:This has been done before

Do people still keep stuff in "My documents?". Ya'd think that after all of the very public worms, viruses, malware, and phoning-home that people would learn to make their own "My Stuff" folder(if not regularly back up and/or encrypt their important data).

Re:This has been done before

Perhaps someone can remember what it was called.

America On Line?

All your dataz

Joe User: Someone set us up the encryption. We get no data. Readme file turn on.
Jack Hacker: How are you gentlemen? All your data are belong to us.

Gonna be ok

I'm not going to worry about this.
I'm sure the fine folks of our Government are watching everything that happens on my computer & will promptly decrypt my files for me using their built-in back doors.

I got infected by this virus

My computer was infected by this virus... luckily all my files were already encrypted so all it did was make plain-text versions of everything and leave me a file asking for a donation

Yeah, sure, *that'll* work..

*ransom note received composed of random letters clipped from newspaper*

"We have encrypted your illegally copied music files. Put $5000 in unmarked bills in a plain brown paper sack and mail it to: RIAA Washington, D.C. no later than midnight tonight or you'll never listen to your music again"

..but seriously, folks, this starts to sound like some sort of wierd 419 scam. They're not going to decypt your files even if you pay them, and I'll bet you a whole DOLLAR that if you're stupid enough to contact them, they accept only CREDIT CARDS as payment. Chances are that the data isn't even really encrypted, it's just plain overwritten and GONE, copied over with gobbledegook random data, and you'll just get your identity stolen on top of never getting your files back. On the other hand they think they're being really clever, I'm sure, and the ones that think they're clever are usually the ones that get caught quickly and go to jail for a long, long time.

data ransom != blackmail

This is data ransom, not blackmail.

Re:Anti-Malware Response

Uh, if 1024-bit RSA was broken, the world of encryption security would collapse (at least for the short term). Could it happen? Sure, it's possible. Will it happen in time to save your pr0n collection? Highly unlikely.

For one thing, compromise of RSA encryption would render SSL useless.

Re:Anti-Malware Response

The last version was eventually "cracked", because the virus used the same key for all the encrypted files so once someone paid up they could distribute the key.