Ransomware attacks have been around for seemingly as long as the field of information security itself, but for...
the most part, they've been labeled as a nuisance more so than as a true threat. A recent ransomware iteration called CryptoLocker may be changing that perception one infection at a time.
Ransomware encrypts data on a victim's machine and then demands a ransom be paid for access to the decryption key. In many cases, authors of ransomware will pose as federal authorities or law enforcement officials and will accuse victims of violating laws in the hopes that such actions will make them more likely to pay.
CryptoLocker falls firmly into this category, though without the façade of legal authority. According to an alert issued this month by US-CERT, it infiltrates victims' machines via malicious emails. Once a machine is infected, CryptoLocker searches for files to encrypt in a number of locations -- including external hard drives, USB sticks and even shared network drives -- and sends the private encryption key back to the attackers' command-and-control server.
When originally uncovered in September, the CryptoLocker authors required payments be made within three days and only via the Bitcoin digital currency. They have since made adjustments to their demands, seemingly in an attempt to maximize their profit, including opening up payment options to include MoneyPak and making the pay-by date more flexible, though with escalating costs. Reportedly, the rising value of Bitcoins also forced a readjustment in prices. Without payment, though, the figures behind CryptoLocker threaten to delete the decryption key, leaving victims' data locked forever.
Dan Hubbard, chief technology officer of San Francisco-based OpenDNS, recently noted that there are several noteworthy aspects to CryptoLocker.
Hubbard noted that it was fairly trivial to decrypt ransomware in the past -- if encryption was even actually used. Security researchers would often reverse-engineer the code and provide decryption algorithms to customers. In contrast, Hubbard said, CryptoLocker's encryption capabilities are "pretty sophisticated."
In fact, CryptoLocker's authors properly utilized commercial-grade 2048-bit RSA encryption.
"In the past, we've kind of seen ransomware in one-offs that haven't been very good. Sometimes it doesn't work, or sometimes it crashes," Hubbard said. "This one actually seems to be fairly foolproof in the way it works, and once you're infected, there's kind of no way to decrypt the data without the private keys because of the type of encryption they use."
In addition to the choice of encryption algorithms, CryptoLocker's use of domain generation algorithm also poses unique challenges to defenders trying to take down its networks, according to Hubbard. He claimed that CryptoLocker has around a thousand domains coming online every day that serve the encryption keys. Enterprises in particular should be concerned over the constantly changing domains, he noted, because this nullifies the effectiveness of reputation-based security systems.
Hubbard also said CryptoLocker's binaries are changing frequently, leaving signature-based antivirus "continually behind." Whitelisting may be a little more effective, but such technologies aren't as widespread, he said.
To spread its reach, CryptoLocker is also taking the unique approach of utilizing other bot networks such as Zeus, Hubbard said. This means machines already infected via another attack campaign can then download and run the CryptoLocker encryption code.
"So they don't necessarily have to go out and re-infect computers that are already out there," he said.
As for fending off CryptoLocker, Hubbard noted that there are some policy elements that can be put into place. For example, another layer of authentication can be added to sensitive files, or files can be encrypted and password-protected so CryptoLocker's algorithms can't access them.
Ultimately though, Craig Williams, a researcher with Cisco's Threat Research, Analysis and Communications team, said the most effective way to defeat such ransomware is simply to store backups regularly. Williams also noted that keeping backups is the most responsible way to ensure ransomware doesn't become more of an issue in the future, as the more ransoms that are paid to criminals will only fuel the trend.
Hubbard is concerned CryptoLocker's success will have just such an effect.
"The other ransomware in the past hasn't been all that successful," Hubbard said, "but based off the success of [CryptoLocker], it's highly likely I think we'll start seeing this increasing just like we had that wave of kind of rogue antivirus a few years back."