Tip

Ransomware: How to deal with advanced encryption algorithms

Listen to this tip

Download Mike Chapple's ransomware tip to your PC or favorite MP3 player.

It's 6 p.m. on a Friday,

    Requires Free Membership to View

and you're getting ready to pack up for the weekend when your telephone rings. It's the CEO of your company; he's returning from a business trip, and he's unable to access his notes from the board meeting he just attended.

He reports a strange message on his computer screen and would like you to come take a look. You hope there's a simple fix, and haven't quite abandoned hopes of dinner and a movie, but those hopeful thoughts are replaced with a sickening feeling in the pit of your stomach when you read the words on his laptop screen:

"Your files are encrypted with RSA-1024 algorithm. [sic] To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at..."

It looks like your company is the victim of ransomware -- the malware threat du jour. Ransomware, also known as cryptoviruses, infects a computer through any normal malware infection vector and then delivers a nasty surprise as its payload: it encrypts many or all user files on the system using an encryption key known only to the virus writer. It then displays a friendly message, similar to the one above, demanding that the victim pays a ransom to the malware author in order to obtain the decryption key and rescue his or her files from the grips of the cryptovirus.

Ransomware is nothing new. In fact, a 12-year-old paper entitled Cryptovirology: Extortion-Based Security Threats and Countermeasures, written by security experts at Columbia University and IBM, clearly outlined the concept in 1996.

For more information:

Learn reverse engineering techniques with RE:Trace

Malware trends: Read more about what to expect.

However, there is a new wrinkle in the news this month. Up until today, most cryptoviruses used weak and/or flawed encryption algorithms that were eventually cracked by antivirus researchers. They were also quite rare. In fact, just about a year ago, Ed Skoudis wrote in a SearchSecurity.com Q&A that "While these ransomware attacks do occur, they are not terribly common today." Yet that changed a few weeks ago with the detection of the first apparently unbreakable cryptovirus in the wild. The latest version of the ransomware Trojan horse known as Gpcode appears to use strong 1024-bit RSA cryptography, and, at the time of this writing, researchers have yet to identify any flaws in the encryption algorithm that provide a reverse engineering foothold.

So, what should you do when you get that dreaded phone call from your CEO? Here are a few helpful tips:

  • Restore from backup. The simplest way to resolve the problem is to restore your system from a recent backup, provided that one exists and is recent enough so that valuable data won't be lost. Keep in mind that this approach likely means restoring the original problem that allowed the cryptovirus infection in the first place. So be sure to patch the system, lock down the firewall and install current antivirus software before returning it to service.
  • Image the drive. If backup restoration isn't an option, treat a ransomware event like a forensic investigation and create a bit-by-bit replica of the hard drive. Aim to preserve the original condition of the disk as much as possible.

The next three approaches that I propose may solve the problem, but they also involve a degree of risk and should only be attempted on a backup copy of the affected hard drive.

Whether ransomware affects your organization directly or not, use the painful experiences of your peers to learn a lesson: install current antivirus software on all enterprise systems (especially the CEO's laptop!). Make sure to also run regular backups and check firewall configurations. When it comes to a rapidly evolving scourge like ransomware, an ounce of prevention is indeed worth a pound of cure.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.


 

This was first published in July 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.