NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Ransomware Will Win The War
The well respected Antivirus firm Kaspersky Lab is calling for a massive group effort to break the encryption used by the latest Ransomware. They're asking competitors, governments, and cryptographers to join the effort. But even a massive worldwide computer grid won't win this war.No Longer Supported
The malware being battled is called Gpcode. Gpcode is a Trojan that is sent through email or posted on USENET newsgroups. The infected attachment is a MS Word .DOC file and most users still think DOC files are safe to open. When its run it encrypts the users documents.

"The email had an MS word .doc file called anketa.doc attached. (Anketa is the Russian for application form). This file actually contained a malicious program called Trojan-Dropper.MSWord.Tored.a. When the recipient opens the attachment, a malicious macro installs another Trojan - Trojan-Downloader.Win32.Small.crb - on the victim machine." - Virulist.com


Gpcode searches for over 80 different file types on the computer and encrypts them. Besides the normal document files Gpcode also encrypts the users email database files. The program leaves behind a text file instructing the person how to contact the author to purchase the decoder program. The program also deletes references to its self. Gpcode has gone through several revisions, the encryption keys in previous versions was found relatively quickly because of flaws in how the author implemented the encryption. This latest version, first reported on June 4th, 2008, apparently does not have these flaws and all efforts to date to find other such shortcuts to crack the encryption key have failed.

"Different versions of the Gpcode virus encrypt user files of different types (.doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h etc.) using a strong RSA encryption algorithm with different key lengths. After encrypting files on a computer, the virus automatically generates a message informing the user that the files have been encrypted and demanding payment for a decryption utility." - Kaspersky Lab


Even if Kaspersky manages to find a weakness in the current encryption implementation and finds the encryption key eventually this author (or someone else) will get it right. To date no one has broken a 1024 bit RSA encryption key (what Gpcode currently uses). They have broken a "special" 307 bit key but not a true "proper" 307 bit RSA key. Even that effort took years to accomplish. The last time they broke a proper 155 bit key it took 9 years and quite a bit of computing power. One of the best known cryptanalyst, Bruce Schneier, says that the writing is on the wall for 1024 bit keys and eventually they will be broke. So even if Kaspersky wins this battle they won't win the war against ransomware.

"I hope RSA applications would have moved away from 1024-bit security years ago, but for those who haven't yet: wake up." - Bruce Schneier


If Kaspersky's group can not find a shortcut it will take a massive amount of computing power to accomplish something no one has done before them. In one respect it will be quite an accomplishment, but in reality it really doesn't help much. By the time they break the encryption key the author will have moved on to another key, perhaps one using a 2048 bit key (which is currently well outside the bounds of being able to be broken in our lifetime). Or perhaps the author will switch to AES encryption which is orders of magnitude stronger than RSA. From the ransomware author's point of view switching to a synchronous AES key does present some practical problems with key distribution but they aren't impossible to overcome.

Though there is currently no way to break the encryption used by the Gpcode Trojan Kaspersky does have instructions for restoring some files encrypted by Gpcode. Gpcode currently encrypts a copy of the file and then deletes the original, therefore it may be possible to undelete the original (unencrypted) file. But don't count on getting much back because deleted files will quickly get overwritten by new encrypted files. Your best defense to any unknown threat is a good backup, then you can simply delete the encrypted files and restore them from backup (after removing the infection). Of course keeping MS Office and your antivirus application up to date can help as well.

There are many experts that believe Kaspersky Lab is wildly optimistic in believing that a 1024 bit key can be broken anytime soon. Let us hope Kaspersky is not successful because whenever you visit a SSL webpage it first connects using a RSA 1024 bit key (in order to securely exchange a synchronous RC4 or AES key to encrypt the data). If RSA encryption can be broken quickly anyone using standard SSL certificates will need to upgrade. Previous data transmitted over SSL that may have been recorded will be at risk of compromise.

References:
Kaspersky Lab - Press Release announcing the launch of the Stop Gpcode international initiative.
Schneier on Security - Bruce Schneier's blog. He's 'The Man' when it comes to encryption.
Crypto boffin: writing is on the wall for 1024-bit RSA - The Register: "The largest proper RSA number yet broken was a 200-digit "non-special" number whose two prime factors were identified in 2005 after 18 months of calculations that used over a half century of computer time. The 1024-bit numbers used in RSA encryption are around 100 orders of magnitude bigger than this. The writing may be on the wall for 1024-bit RSA: but as yet, um, nobody can read it."
Virulist.com "Blackmailer: the story of Gpcode" - "Gpcode then scans all accessible directories and encrypts files with certain extensions such as .txt, .xls, .rar, .doc, .html, .pdf etc. It also encrypts mail client databases."
Ransomware resisting crypto cracking efforts - SecurityFocus: "While previous versions have had flawed encryption implementations, the latest version -- Gpcode.ak -- appears to have eliminated the flaws that allowed reverse engineers to find earlier keys."
Kaspersky to try to crack code used in 'blackmailer' virus - CNET.com: "Antivirus software vendor Kaspersky is launching an international effort to try to crack the encryption used in a "blackmailer" virus that locks up data on a victim's computer."



Share or Bookmark this Article Using:
| furl | reddit | del.icio.us | magnoliacom | digg | newsvine | stumble it |


Posted by NIST.org on Monday 16 June 2008 - 05:57:58 | |printer friendly
Translate to: French German Italian Spanish Portuguese GTM_LAN_DUTCH Russian Chinese Arabic Korean English
Google Ads




Headlines

»NCCoE Speaker Series March 2015
»New NIST Tools to Help Boost Wireless Channel Frequencies and Capacity
»NIST Announces Pilot Grants Competition to Improve Security and Privacy of Online Identity Verification Systems
»Vendors Sought to Develop Model System to Monitor Security of Energy Industry Networked Control Systems
»NIST Releases Update of Industrial Control Systems Security Guide for Final Public Review
»Cybersecurity Summit Technical Workshop
»NIST Forensic Science Standards Committees to Hold First Public Meetings in February 2015
»NIST Security Guide Walks Organizations Through the Mobile App Security Vetting Process
»Open-Source Software for Quantum Information
»NIST Requests Round Two Comments on its Cryptographic Standards Process
»Symposium to Focus on Future of Voting Systems
»NIST Meeting: Cybersecurity Is a Key Ingredient In the Manufacturing Mix
»Future of Voting Systems Symposium II
»Global City Teams Challenge Tech Jam
»NIST Announces Initial Members of Forensic Science Digital Evidence Subcommittee


Date published: not known
Details

»Guidance for Defending Against Destructive Malware
Original release date: March 03, 2015 The National Security Agency (NSA)'s Information Assura ...
»FTC Details the Top 10 Imposter Scams of 2014
Original release date: March 02, 2015 The Federal Trade Commission (FTC) has released an advi ...
»Cisco IPv6 Denial of Service Vulnerability
Original release date: February 25, 2015 Cisco has identified a vulnerability that could allo ...
»Samba Remote Code Execution Vulnerability
Original release date: February 24, 2015 Linux and Unix based operating systems employing Sam ...
»Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
Original release date: February 24, 2015 The Mozilla Foundation has released security updates ...
»Lenovo Computers Vulnerable to HTTPS Spoofing
Original release date: February 20, 2015 Lenovo consumer personal computers employing the pre ...
»IRS Issues Warning for a Scam Targeting Tax Preparers
Original release date: February 18, 2015 The Internal Revenue Service (IRS) has issued a pres ...
»ISC Releases Security Updates for BIND
Original release date: February 18, 2015 The Internet Systems Consortium (ISC) has released s ...
»Microsoft Releases February 2015 Security Bulletin
Original release date: February 10, 2015 Microsoft has released updates to address vulnerabil ...
»Microsoft Releases Critical Security Update for Internet Explorer
Original release date: February 10, 2015 Microsoft has released a critical security update to ...


Date published: not known
Details

»Paper: Script in a lossy stream
Dénes Óvári explains how to store code in lossily compressed JPEG data. Malformed PDF ...
»TorrentLocker spam has DMARC enabled
Use of email authentication technique unlikely to bring any advantage. Last week, Trend Micro resear ...
»VB2014 paper: Caphaw - the advanced persistent pluginer
Micky Pun and Neo Tan analyse the banking trojan that is best known for spreading through Skype. Sin ...
»M3AAWG releases BCP document on dealing with child sexual abuse material
Subject may make many feel uncomfortable, but it is essential that we know how to deal with it. The ...
»Hacker group takes over Lenovo's DNS
As emails were sent to wrong servers, DNSSEC might be worth looking into. Although, after some initi ...
»Coordinated action takes down Ramnit botnet infrastructure
Malware remains present on infected machines; 2012 Virus Bulletin paper worth studying. A coordinate ...
»Almost 50% increase in reported vulnerabilities as non-Windows operating systems lead the table
Each discovered vulnerability is actually a good news story. Last week, security firm GFI published ...
»Vawtrak trojan spread through malicious Office macros
Users easily tricked, but plenty of opportunity for the malware to be blocked. Researchers at Trend ...
»Lenovo laptops pre-installed with software that adds its own root CA certificate
Shared root certificate makes for easy man-in-the-middle attacks. What is Superfish? Superfish is a ...


Date published: not known
Details

»Compliance & Security: A Race To The Bottom?
Compliance is meaningless if organizations don't use it as a starting point to understand and mitiga ...
»What You Need To Know About Nation-State Hacked Hard Drives
The nation-state Equation Group compromise of most popular hard drives won't be a widespread threat, ...
»Uber Takes Over 5 Months To Issue Breach Notification
50,000 Uber drives just being told now that their names and license numbers were exposed.
»5 Signs That The Firewall's Not Dead Yet
Demise of firewall is a long way off, according to recent survey results.
»No Silver Bullets for Security
A quick-fix security solution for cyberphysical systems doesn't exist.
»Why Security Awareness Alone Won't Stop Hackers
End-user training is a noble pursuit but it's no defense against "low and slow" attacks that take mo ...
»Dark Reading Offers Cyber Security Crash Course At Interop 2015
New event is designed to provide fast education on the latest threats and defenses
»Mobile Security By The Numbers
Rounding up the latest research on mobile malware and security practices.
»Eyes On The Analytics Prize


Date published: Tue, 03 Mar 2015 13:01:23 EST
Details
Main Menu
· Home
Current Security News
 
SANS Internet Storm Center, InfoCON: green

» Infocon: green

» An Example of Evolving Obfuscation, (Tue, Mar 3rd)
[03 Mar 2015 09:42am]

» ISC StormCast for Tuesday, March 3rd 2015 http://isc.sans.edu/podcastdetail.html?id=4379, (Tue, Mar 3rd)
[02 Mar 2015 07:24pm]

» How Do You Control the Internet of Things Inside Your Network?, (Mon, Mar 2nd)
[02 Mar 2015 10:21am]

» ISC StormCast for Monday, March 2nd 2015 http://isc.sans.edu/podcastdetail.html?id=4377, (Mon, Mar 2nd)
[01 Mar 2015 06:57pm]

» Advisory: Seagate NAS Remote Code Execution, (Sun, Mar 1st)
[01 Mar 2015 09:14am]

» Let's Encrypt!, (Fri, Feb 27th)
[27 Feb 2015 08:34pm]

» DDOS are way down? Why?, (Fri, Feb 27th)
[27 Feb 2015 01:04pm]

» Leonard Nimoy has passed - please be alert for the rounds of Phishing and malware that will inevitably occur!, (Fri, Feb 27th)
[27 Feb 2015 11:23am]

» Tails 1.3 released - https://tails.boum.org/news/version_1.3/index.en.html, (Fri, Feb 27th)
[27 Feb 2015 06:30am]

» Tor Browser Version 4.0.4 released - https://blog.torproject.org/blog/tor-browser-404-released, (Fri, Feb 27th)
[27 Feb 2015 06:27am]

***
CNET News.com

» Microsoft defends opening Hotmail account of blogger in espionage case
[20 Mar 2014 06:47pm]

» Syria's Internet goes dark for several hours
[20 Mar 2014 04:25pm]

» Symantec fires CEO Steve Bennett
[20 Mar 2014 03:07pm]

» Microsoft sniffed blogger's Hotmail account to trace leak
[20 Mar 2014 01:28pm]

» Microsoft sniffed private Hotmail account to trace trade secret leak
[20 Mar 2014 01:28pm]

» IBM's new services zero in on fraud, financial crime
[20 Mar 2014 07:31am]

» Despite assault on privacy, Page sees value in online openness
[19 Mar 2014 08:00pm]

» Hackers transform EA Web page into Apple ID phishing scheme
[19 Mar 2014 05:21pm]

» NSA top lawyer says tech giants knew about data collection
[19 Mar 2014 02:57pm]

» Microsoft touts study showing the cost of pirated software
[19 Mar 2014 06:55am]

» Microsoft touts study showing cost of malware in pirated software
[19 Mar 2014 06:55am]

» How to spy on your lover, the smartphone way
[18 Mar 2014 01:24pm]

» Mt. Gox update lets users see their Bitcoin balances
[18 Mar 2014 06:38am]

» Fake Malaysia Airlines links spread malware
[17 Mar 2014 05:12pm]

» IBM: No, we did not help NSA spy on customers
[17 Mar 2014 01:15pm]

***

***



***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf
Symantec News

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}