Crypto-Ransomware Encrypts Files "Offline" 54
An anonymous reader writes: Ransomware comes in various forms, and not all ransomware encrypts files — some just block computers until the ransom is paid. When the file encryption feature is included, the encryption key is usually sent to the malware's C&C server, which is controlled by the crooks — but not always. Researchers have recently analyzed a crypto-ransomware sample that demonstrated an alternative method of encrypting files and delivering the key (i.e., the information required to discover the right key) to the criminal behind the scheme — it doesn't need to contact a C&C to receive an encryption key or to send it to the crook.
Stupid summary (Score:5, Insightful)
So instead of the malware actively sending the key, the victim has to send one of the encrypted files instead, big whoop. The method is the same, encrypt your files and put the key in an message encrypted for the malware author. Who does the sending is a technicality.
Re: (Score:2)
Difference is that this means you can't block it by filtering your internet connection.
So what's the failure mode here... the malware has the public key embedded, it encrypts your files with a random key, puts the key in an encrypted message (for which you don't have the private key), tries to send it and.... no. Does it say "Sorry for the inconvenience, I'll just decrypt your files and move along"? My money would be on no.
Re: (Score:2)
If you don't have good backups the nature of the malware is that it writes out an encrypted copy of a file, deletes the original, and then goes on to the next one. In a lot of circumstances a file undelete program such as "photorec" can get the original files back, but it can be time consuming since the names of the files are lost.
Re: (Score:2)
Any reasoanble implementation would overwrite the victim file’s blocks with the encrypted ones in-place. Most filesystems can’t do anything to undelete that. A copy-on-write system like ZFS would technically still have the blocks, but good luck reconstructing the metadata if you don’t have a snapshot pinned to them. SSD wear leveling might also preserve the original blocks, but again good luck getting to them in the right order.
Re: (Score:1)
That's quite a change! Prior malware had hard-coded C&C servers, which were susceptible to hacking or white-knight control. This system allows these extortionists to change the address on the fly.
Transmission of the Key (Score:5, Informative)
So, to save others having to click the link, the method of the key transmission is like this:
The first part of every file contains the key encrypted with the ransomer's private key, the victim needs to send at least one file to the ransomer, which he then uses to extract the key to send it to the victim.
The ransomware also has some odd features, from TFA:
Once downloaded and run on the machine, the ransomware encrypts all personal files and renames them. The new names follow the following format: email-[address to contact].ver-[Ransomware internal version].id-[Machine identifier]-[Date & Time][Random digits].randomname-[Random name given to the encrypted file].cbf (example: email-Seven_Legion2@aol.com.ver-CL 1.0.0.0.id-NPEULAODSHUJYMAPESHVKYNBQETHWKZOBQFT-10@6@2015 9@53@19AM5109895.randomname-EFWMERGVKYNBPETHVKZNBQETHWKZNB.RGV.cbf).
The researcher also recommends paying up, as there does not appear to be any way around this one.
Re: (Score:2, Insightful)
The correct reaction however is to treat it like you accidentally wiped the disk: Restore from backup or, if you don't have a backup, learn your lesson and start making backups. Giving in to extortion just breeds more extortion.
Re: (Score:1)
As of now, this works, but malware is arguably the most well written software in existance these days, but i wouldn't be surprised if the next generation of software would have a random delay, not just to hide when the machine got infected, but to foul up backups. Of course, too much of a delay, and that adds time that the software can be detected.
I wouldn't be surprised to see the next iteration of ransomware install a shim driver, then sit in the background encrypting files as this software does, but eit
Re: (Score:2)
It would be nice if the so called "security researches" and all the high dollar security firms could actually prevent an attack every now and then. As it is the best these experts seem to be able to do is conduct postmortems after the damage is already done. It's plain to see that the real "security experts" are those creating malware and the ones trying to prevent malware and other security weak spots are 2 steps behind.
Re: (Score:2)
"Ditch windows"
A "properly administered" Windows OS is no more secure or non-secure than any of other popular OS's being used today. Windows just presents a bigger footprint. Windows biggest weaknesses can be attributed to inept system administration, sloppy security patch procedures, bad user account setup, social engineering, and poor firewall administration. These same weaknesses also apply to all of the other OS's being used today. And unfortunately ditching Windows would also mean ditching all the prog
Re: (Score:1)
The researcher also recommends paying up, as there does not appear to be any way around this one.
Apart from creating backups that is
Dang... (Score:2)
Re: (Score:2)
Russia has no desire to prevent crime like this, they don't give a damn about anyone but themselves.
Re: (Score:1)
Crypto-Ransomware runs on the machine .. (Score:2)
How does this 'Ransomware' get downloaded and run on the machine?
Re: (Score:2)
Just like the vast majority of malware gets downloaded and run - phishing and drive-by downloads.
The most recent ones I've seen were from the Australian Federal Police warning you about a traffic infringement - please open the attachment to see the photo.
Re: (Score:2)
Easy. From most likely to least, here's a few ways
1) User visits web page, web page says it needs to install a plugin to work, click here for the link. (Variants include downloading a movie that shows "Codec not installed. Visit http://evil-site.example.com/c... [example.com] to download required software", email that says "Your invoice is enclosed - refund and cancellation instructions contained within" (interestingly - all those emails for fake invoices a
Re: (Score:2)
Ridiculous in 2015, stupid in 2005, not all that clever in 1995 so it seems we have to put up with this shit forever no matter how many times developers are warned not to do stupid shit in networked software.
Minor technicality... (Score:2)
With ransomware, like Cryptolocker, it doesn't generate the key and then send it to the C&C servers - the machine doing the encrypting (i.e. what was your machine before it got owned) never has the private key in it's possession. When it's ready to start encrypting, it contacts the C&C server. The C&C server generates a new private/public keypair and sends the public key to the owned machine. The owned machine then starts encrypting everything with the public key, and only the private key (that
Re: (Score:2)
In this case they're trying to do it in such a way that requires no contact with C&C. I.e. the target downloads and installs "cool free app that you must try now" from a site not owned by the C&C owner. But because lots of firms are routinely shutting down C&C botnets, we just skip the C&C process, and from what I gather they do something like this:
- Include hardcoded public key with trojan package
- Generate 256-bit key
- Encrypt file with said key
- Encrypt symmetric key with asymmetric publi
Pardon my asking (Score:2)
What's a C & C server? I think I missed the memo...(Command and Conquer? shows you how much I think I know)
Re: (Score:2)
A cocktail waitress.
Re: (Score:2)
If you are not, then perhaps you should not be reading
We could use a detection app (Score:2)
A program that constantly monitors my documents, and warns when a document is encrypted. That would give me time to stop the next backup from happening (so I can prevent the malware from accessing the backup medium), and to nuke the malware before it can do more damage.