Become a fan of Slashdot on Facebook


Forgot your password?

Crypto-Ransomware Encrypts Files "Offline" 54

An anonymous reader writes: Ransomware comes in various forms, and not all ransomware encrypts files — some just block computers until the ransom is paid. When the file encryption feature is included, the encryption key is usually sent to the malware's C&C server, which is controlled by the crooks — but not always. Researchers have recently analyzed a crypto-ransomware sample that demonstrated an alternative method of encrypting files and delivering the key (i.e., the information required to discover the right key) to the criminal behind the scheme — it doesn't need to contact a C&C to receive an encryption key or to send it to the crook.
This discussion has been archived. No new comments can be posted.

Crypto-Ransomware Encrypts Files "Offline"

Comments Filter:
  • Stupid summary (Score:5, Insightful)

    by Kjella ( 173770 ) on Thursday November 05, 2015 @05:26PM (#50873239) Homepage

    So instead of the malware actively sending the key, the victim has to send one of the encrypted files instead, big whoop. The method is the same, encrypt your files and put the key in an message encrypted for the malware author. Who does the sending is a technicality.

    • by dbIII ( 701233 )
      The technically is that you are trusting someone who has carried out a criminal act on you already.

      If you don't have good backups the nature of the malware is that it writes out an encrypted copy of a file, deletes the original, and then goes on to the next one. In a lot of circumstances a file undelete program such as "photorec" can get the original files back, but it can be time consuming since the names of the files are lost.
      • by Aaden42 ( 198257 )

        Any reasoanble implementation would overwrite the victim file’s blocks with the encrypted ones in-place. Most filesystems can’t do anything to undelete that. A copy-on-write system like ZFS would technically still have the blocks, but good luck reconstructing the metadata if you don’t have a snapshot pinned to them. SSD wear leveling might also preserve the original blocks, but again good luck getting to them in the right order.

    • That's quite a change! Prior malware had hard-coded C&C servers, which were susceptible to hacking or white-knight control. This system allows these extortionists to change the address on the fly.

  • by Coren22 ( 1625475 ) on Thursday November 05, 2015 @05:28PM (#50873247) Journal

    So, to save others having to click the link, the method of the key transmission is like this:

    The first part of every file contains the key encrypted with the ransomer's private key, the victim needs to send at least one file to the ransomer, which he then uses to extract the key to send it to the victim.

    The ransomware also has some odd features, from TFA:

    Once downloaded and run on the machine, the ransomware encrypts all personal files and renames them. The new names follow the following format: email-[address to contact].ver-[Ransomware internal version].id-[Machine identifier]-[Date & Time][Random digits].randomname-[Random name given to the encrypted file].cbf (example: 9@53@19AM5109895.randomname-EFWMERGVKYNBPETHVKZNBQETHWKZNB.RGV.cbf).

    The researcher also recommends paying up, as there does not appear to be any way around this one.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      The correct reaction however is to treat it like you accidentally wiped the disk: Restore from backup or, if you don't have a backup, learn your lesson and start making backups. Giving in to extortion just breeds more extortion.

      • by Anonymous Coward

        As of now, this works, but malware is arguably the most well written software in existance these days, but i wouldn't be surprised if the next generation of software would have a random delay, not just to hide when the machine got infected, but to foul up backups. Of course, too much of a delay, and that adds time that the software can be detected.

        I wouldn't be surprised to see the next iteration of ransomware install a shim driver, then sit in the background encrypting files as this software does, but eit

    • It would be nice if the so called "security researches" and all the high dollar security firms could actually prevent an attack every now and then. As it is the best these experts seem to be able to do is conduct postmortems after the damage is already done. It's plain to see that the real "security experts" are those creating malware and the ones trying to prevent malware and other security weak spots are 2 steps behind.

    • by Anonymous Coward

      The researcher also recommends paying up, as there does not appear to be any way around this one.

      Apart from creating backups that is

  • So they were able to contact the author of the malware, but are unable to find him and bring him to justice?
    • Russia has no desire to prevent crime like this, they don't give a damn about anyone but themselves.

      • Well played. I figured that because this guy is targeting other russians, sooner or later he'll hit the "wrong" machine and get sent to Siberia.
  • "Once downloaded and run on the machine"

    How does this 'Ransomware' get downloaded and run on the machine?
    • Just like the vast majority of malware gets downloaded and run - phishing and drive-by downloads.

      The most recent ones I've seen were from the Australian Federal Police warning you about a traffic infringement - please open the attachment to see the photo.

    • by tlhIngan ( 30335 )

      How does this 'Ransomware' get downloaded and run on the machine?

      Easy. From most likely to least, here's a few ways

      1) User visits web page, web page says it needs to install a plugin to work, click here for the link. (Variants include downloading a movie that shows "Codec not installed. Visit [] to download required software", email that says "Your invoice is enclosed - refund and cancellation instructions contained within" (interestingly - all those emails for fake invoices a

    • by dbIII ( 701233 )
      The copy of Internet Explorer on many machines sucks so badly that it helpfully runs code on webpages that tell it to install and run the malware. All the user has to do is click on a link in an email in MS Outlook or webpage in IE to start off the process.
      Ridiculous in 2015, stupid in 2005, not all that clever in 1995 so it seems we have to put up with this shit forever no matter how many times developers are warned not to do stupid shit in networked software.
  • With ransomware, like Cryptolocker, it doesn't generate the key and then send it to the C&C servers - the machine doing the encrypting (i.e. what was your machine before it got owned) never has the private key in it's possession. When it's ready to start encrypting, it contacts the C&C server. The C&C server generates a new private/public keypair and sends the public key to the owned machine. The owned machine then starts encrypting everything with the public key, and only the private key (that

    • In this case they're trying to do it in such a way that requires no contact with C&C. I.e. the target downloads and installs "cool free app that you must try now" from a site not owned by the C&C owner. But because lots of firms are routinely shutting down C&C botnets, we just skip the C&C process, and from what I gather they do something like this:

      - Include hardcoded public key with trojan package
      - Generate 256-bit key
      - Encrypt file with said key
      - Encrypt symmetric key with asymmetric publi

  • What's a C & C server? I think I missed the memo...(Command and Conquer? shows you how much I think I know)

    • What's a C & C server?

      A cocktail waitress.

    • Clearly you are trolling, a simple google of "C & C server" tells you exactly what it is in the first link.
      If you are not, then perhaps you should not be reading /. posts if you can't figure out how to google.
  • A program that constantly monitors my documents, and warns when a document is encrypted. That would give me time to stop the next backup from happening (so I can prevent the malware from accessing the backup medium), and to nuke the malware before it can do more damage.

BLISS is ignorance.