Ransomware: How to deal with advanced encryption algorithms

It's late in the day, and your CEO reports a strange message on his computer screen: his files have been encrypted, and a payment is required to return all of his data. What do you do? Don't give in to the cyberterrorists just yet. Mike Chapple explains five ways that you can fight ransomware and recover your files.

It's 6 p.m. on a Friday, and you're getting ready to pack up for the weekend when your telephone rings. It's the...

CEO of your company; he's returning from a business trip, and he's unable to access his notes from the board meeting he just attended.

He reports a strange message on his computer screen and would like you to come take a look. You hope there's a simple fix, and haven't quite abandoned hopes of dinner and a movie, but those hopeful thoughts are replaced with a sickening feeling in the pit of your stomach when you read the words on his laptop screen:

Listen to this tip

Download Mike Chapple's ransomware tip to your PC or favorite MP3 player.

"Your files are encrypted with RSA-1024 algorithm. [sic] To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at..."

It looks like your company is the victim of ransomware -- the malware threat du jour. Ransomware, also known as cryptoviruses, infects a computer through any normal malware infection vector and then delivers a nasty surprise as its payload: it encrypts many or all user files on the system using an encryption key known only to the virus writer. It then displays a friendly message, similar to the one above, demanding that the victim pays a ransom to the malware author in order to obtain the decryption key and rescue his or her files from the grips of the cryptovirus.

Ransomware is nothing new. In fact, a 12-year-old paper entitled Cryptovirology: Extortion-Based Security Threats and Countermeasures, written by security experts at Columbia University and IBM, clearly outlined the concept in 1996.

However, there is a new wrinkle in the news this month. Up until today, most cryptoviruses used weak and/or flawed encryption algorithms that were eventually cracked by antivirus researchers. They were also quite rare. In fact, just about a year ago, Ed Skoudis wrote in a SearchSecurity.com Q&A that "While these ransomware attacks do occur, they are not terribly common today." Yet that changed a few weeks ago with the detection of the first apparently unbreakable cryptovirus in the wild. The latest version of the ransomware Trojan horse known as Gpcode appears to use strong 1024-bit RSA cryptography, and, at the time of this writing, researchers have yet to identify any flaws in the encryption algorithm that provide a reverse engineering foothold.

So, what should you do when you get that dreaded phone call from your CEO? Here are a few helpful tips:

  • Restore from backup. The simplest way to resolve the problem is to restore your system from a recent backup, provided that one exists and is recent enough so that valuable data won't be lost. Keep in mind that this approach likely means restoring the original problem that allowed the cryptovirus infection in the first place. So be sure to patch the system, lock down the firewall and install current antivirus software before returning it to service.
  • Image the drive. If backup restoration isn't an option, treat a ransomware event like a forensic investigation and create a bit-by-bit replica of the hard drive. Aim to preserve the original condition of the disk as much as possible.

The next three approaches that I propose may solve the problem, but they also involve a degree of risk and should only be attempted on a backup copy of the affected hard drive.

Whether ransomware affects your organization directly or not, use the painful experiences of your peers to learn a lesson: install current antivirus software on all enterprise systems (especially the CEO's laptop!). Make sure to also run regular backups and check firewall configurations. When it comes to a rapidly evolving scourge like ransomware, an ounce of prevention is indeed worth a pound of cure.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

Next Steps

Learn reverse engineering techniques with RE:Trace

Malware trends: Read more about what to expect

This was last published in July 2008

Dig Deeper on Emerging cyberattacks and threats