It's 6 p.m. on a Friday, and you're getting ready to pack up for the weekend when your telephone rings. It's the CEO of your company; he's returning from a business trip, and he's unable to access his notes from the board meeting he just attended.
He reports a strange message on his computer screen and would like you to come take a look. You hope there's a simple fix, and haven't quite abandoned hopes of dinner and a movie, but those hopeful thoughts are replaced with a sickening feeling in the pit of your stomach when you read the words on his laptop screen:
"Your files are encrypted with RSA-1024 algorithm. [sic] To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at..."
It looks like your company is the victim of ransomware -- the malware threat du jour. Ransomware, also known as cryptoviruses, infects a computer through any normal malware infection vector and then delivers a nasty surprise as its payload: it encrypts many or all user files on the system using an encryption key known only to the virus writer. It then displays a friendly message, similar to the one above, demanding that the victim pays a ransom to the malware author in order to obtain the decryption key and rescue his or her files from the grips of the cryptovirus.
Ransomware is nothing new. In fact, a 12-year-old paper entitled Cryptovirology: Extortion-Based Security Threats and Countermeasures, written by security experts at Columbia University and IBM, clearly outlined the concept in 1996.
However, there is a new wrinkle in the news this month. Up until today, most cryptoviruses used weak and/or flawed encryption algorithms that were eventually cracked by antivirus researchers. They were also quite rare. In fact, just about a year ago, Ed Skoudis wrote in a SearchSecurity.com Q&A that "While these ransomware attacks do occur, they are not terribly common today." Yet that changed a few weeks ago with the detection of the first apparently unbreakable cryptovirus in the wild. The latest version of the ransomware Trojan horse known as Gpcode appears to use strong 1024-bit RSA cryptography, and, at the time of this writing, researchers have yet to identify any flaws in the encryption algorithm that provide a reverse engineering foothold.
So, what should you do when you get that dreaded phone call from your CEO? Here are a few helpful tips:
- Restore from backup. The simplest way to resolve the problem is to restore your system from a recent backup, provided that one exists and is recent enough so that valuable data won't be lost. Keep in mind that this approach likely means restoring the original problem that allowed the cryptovirus infection in the first place. So be sure to patch the system, lock down the firewall and install current antivirus software before returning it to service.
- Image the drive. If backup restoration isn't an option, treat a ransomware event like a forensic investigation and create a bit-by-bit replica of the hard drive. Aim to preserve the original condition of the disk as much as possible.
The next three approaches that I propose may solve the problem, but they also involve a degree of risk and should only be attempted on a backup copy of the affected hard drive.
- Check the Internet. In many cases, the malware author failed to use strong encryption, and the decryption keys are available on the Internet. A quick search using the text of the ransom message may prove fruitful. For example, the ransomware Trojan.Archiveus demands that victims purchase items from websites in exchange for providing the decryption key. Symantec Corp., however, provides a technical report that includes a detailed description of the package along with the decryption password. Problem solved.
- Try file-recovery software. Cryptoviruses usually work by opening the target file, encrypting it, saving the encrypted version and deleting the original. It may be possible to retrieve the original, deleted file from disk by using file-recovery software. Viruslist.com has a great walkthrough on this process using PhotoRec (an open source data recovery package available for free download).
- To pay or not to pay? Giving in to blackmail via ransomware is a losing game for society. It simply encourages more of the same type of illicit activity and does the entire community a disservice. Resist the urge.
Whether ransomware affects your organization directly or not, use the painful experiences of your peers to learn a lesson: install current antivirus software on all enterprise systems (especially the CEO's laptop!). Make sure to also run regular backups and check firewall configurations. When it comes to a rapidly evolving scourge like ransomware, an ounce of prevention is indeed worth a pound of cure.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.
This was first published in July 2008