NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Ransomware Will Win The War
The well respected Antivirus firm Kaspersky Lab is calling for a massive group effort to break the encryption used by the latest Ransomware. They're asking competitors, governments, and cryptographers to join the effort. But even a massive worldwide computer grid won't win this war.No Longer Supported
The malware being battled is called Gpcode. Gpcode is a Trojan that is sent through email or posted on USENET newsgroups. The infected attachment is a MS Word .DOC file and most users still think DOC files are safe to open. When its run it encrypts the users documents.

"The email had an MS word .doc file called anketa.doc attached. (Anketa is the Russian for application form). This file actually contained a malicious program called Trojan-Dropper.MSWord.Tored.a. When the recipient opens the attachment, a malicious macro installs another Trojan - Trojan-Downloader.Win32.Small.crb - on the victim machine." - Virulist.com


Gpcode searches for over 80 different file types on the computer and encrypts them. Besides the normal document files Gpcode also encrypts the users email database files. The program leaves behind a text file instructing the person how to contact the author to purchase the decoder program. The program also deletes references to its self. Gpcode has gone through several revisions, the encryption keys in previous versions was found relatively quickly because of flaws in how the author implemented the encryption. This latest version, first reported on June 4th, 2008, apparently does not have these flaws and all efforts to date to find other such shortcuts to crack the encryption key have failed.

"Different versions of the Gpcode virus encrypt user files of different types (.doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h etc.) using a strong RSA encryption algorithm with different key lengths. After encrypting files on a computer, the virus automatically generates a message informing the user that the files have been encrypted and demanding payment for a decryption utility." - Kaspersky Lab


Even if Kaspersky manages to find a weakness in the current encryption implementation and finds the encryption key eventually this author (or someone else) will get it right. To date no one has broken a 1024 bit RSA encryption key (what Gpcode currently uses). They have broken a "special" 307 bit key but not a true "proper" 307 bit RSA key. Even that effort took years to accomplish. The last time they broke a proper 155 bit key it took 9 years and quite a bit of computing power. One of the best known cryptanalyst, Bruce Schneier, says that the writing is on the wall for 1024 bit keys and eventually they will be broke. So even if Kaspersky wins this battle they won't win the war against ransomware.

"I hope RSA applications would have moved away from 1024-bit security years ago, but for those who haven't yet: wake up." - Bruce Schneier


If Kaspersky's group can not find a shortcut it will take a massive amount of computing power to accomplish something no one has done before them. In one respect it will be quite an accomplishment, but in reality it really doesn't help much. By the time they break the encryption key the author will have moved on to another key, perhaps one using a 2048 bit key (which is currently well outside the bounds of being able to be broken in our lifetime). Or perhaps the author will switch to AES encryption which is orders of magnitude stronger than RSA. From the ransomware author's point of view switching to a synchronous AES key does present some practical problems with key distribution but they aren't impossible to overcome.

Though there is currently no way to break the encryption used by the Gpcode Trojan Kaspersky does have instructions for restoring some files encrypted by Gpcode. Gpcode currently encrypts a copy of the file and then deletes the original, therefore it may be possible to undelete the original (unencrypted) file. But don't count on getting much back because deleted files will quickly get overwritten by new encrypted files. Your best defense to any unknown threat is a good backup, then you can simply delete the encrypted files and restore them from backup (after removing the infection). Of course keeping MS Office and your antivirus application up to date can help as well.

There are many experts that believe Kaspersky Lab is wildly optimistic in believing that a 1024 bit key can be broken anytime soon. Let us hope Kaspersky is not successful because whenever you visit a SSL webpage it first connects using a RSA 1024 bit key (in order to securely exchange a synchronous RC4 or AES key to encrypt the data). If RSA encryption can be broken quickly anyone using standard SSL certificates will need to upgrade. Previous data transmitted over SSL that may have been recorded will be at risk of compromise.

References:
Kaspersky Lab - Press Release announcing the launch of the Stop Gpcode international initiative.
Schneier on Security - Bruce Schneier's blog. He's 'The Man' when it comes to encryption.
Crypto boffin: writing is on the wall for 1024-bit RSA - The Register: "The largest proper RSA number yet broken was a 200-digit "non-special" number whose two prime factors were identified in 2005 after 18 months of calculations that used over a half century of computer time. The 1024-bit numbers used in RSA encryption are around 100 orders of magnitude bigger than this. The writing may be on the wall for 1024-bit RSA: but as yet, um, nobody can read it."
Virulist.com "Blackmailer: the story of Gpcode" - "Gpcode then scans all accessible directories and encrypts files with certain extensions such as .txt, .xls, .rar, .doc, .html, .pdf etc. It also encrypts mail client databases."
Ransomware resisting crypto cracking efforts - SecurityFocus: "While previous versions have had flawed encryption implementations, the latest version -- Gpcode.ak -- appears to have eliminated the flaws that allowed reverse engineers to find earlier keys."
Kaspersky to try to crack code used in 'blackmailer' virus - CNET.com: "Antivirus software vendor Kaspersky is launching an international effort to try to crack the encryption used in a "blackmailer" virus that locks up data on a victim's computer."



Share or Bookmark this Article Using:
| furl | reddit | del.icio.us | magnoliacom | digg | newsvine | stumble it |


Posted by NIST.org on Monday 16 June 2008 - 05:57:58 | |printer friendly
Translate to: {GOOGLETRANS}
Google Ads




Headlines

»CVE-2014-9862 (mac_os_x)
Integer signedness error in bspatch.c in bspatch in bsdiff, as used in Apple OS X before 10.11.6 and ...
»CVE-2015-5738
The RSA-CRT implementation in the Cavium Software Development Kit (SDK) 2.x, when used on OCTEON II ...
»CVE-2015-8946
ecryptfs-setup-swap in eCryptfs before 111 does not prevent the unencrypted swap partition from acti ...
»CVE-2016-0635 (documaker, enterprise_manager_ops_center, health_sciences_information_manager, healthcare_master_person_index, insurance_calculation_engine, insurance_policy_administration_j2ee, insurance_rules_palette, primavera_contract_management, primavera_p6_enterprise_project_portfolio_management, retail_integration_bus, retail_order_broker_cloud_service)
Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manage ...
»CVE-2016-1705 (chrome)
Multiple unspecified vulnerabilities in Google Chrome before 52.0.2743.82 allow attackers to cause a ...
»CVE-2016-1706 (chrome)
The PPAPI implementation in Google Chrome before 52.0.2743.82 does not validate the origin of IPC me ...
»CVE-2016-1707 (chrome)
ios/web/web_state/ui/crw_web_controller.mm in Google Chrome before 52.0.2743.82 on iOS does not ensu ...
»CVE-2016-1708 (chrome)
The Chrome Web Store inline-installation implementation in the Extensions subsystem in Google Chrome ...
»CVE-2016-1709 (chrome, sfntly)
Heap-based buffer overflow in the ByteArray::Get method in data/byte_array.cc in Google sfntly befor ...
»CVE-2016-1710 (chrome)
The ChromeClientImpl::createWindow method in WebKit/Source/web/ChromeClientImpl.cpp in Blink, as use ...
»CVE-2016-1711 (chrome)
WebKit/Source/core/loader/FrameLoader.cpp in Blink, as used in Google Chrome before 52.0.2743.82, do ...
»CVE-2016-1863 (apple_tv, iphone_os, mac_os_x, watchos)
The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2 ...
»CVE-2016-1865 (apple_tv, iphone_os, mac_os_x, watchos)
The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2 ...
»CVE-2016-3451 (integrated_lights_out_manager_firmware)
Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3 ...
»CVE-2016-3481 (integrated_lights_out_manager_firmware)
Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3 ...


Date published: 2016-07-27T04:50:04Z
Details

»Google Releases Security Update for Chrome
Original release date: July 21, 2016 Google has released Chrome version 52.0.2743.82 to addre ...
»Cisco Releases Security Update
Original release date: July 20, 2016 | Last revised: July 25, 2016 Cisco has released a secur ...
»Oracle Releases Security Bulletin
Original release date: July 19, 2016 Oracle has released its Critical Patch Update for July 2016 to address 276 vulnerabilities across multiple products. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.US-CERT encourages users and administrators to review the Oracle July 2016 Critical Patch Update and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
»Drupal Releases Security Advisory
Original release date: July 18, 2016 Drupal has released an advisory to address a vulnerabili ...
»Apple Releases Multiple Security Updates
Original release date: July 18, 2016 Apple has released security updates for iTunes, Safari, ...
»Cisco Releases Security Updates
Original release date: July 14, 2016 Cisco has released security updates to address vulnerabi ...
»Microsoft Releases Security Updates
Original release date: July 12, 2016 Microsoft has released 11 updates to address vulnerabili ...
»Adobe Releases Security Updates
Original release date: July 12, 2016 Adobe has released security updates to address vulnerabi ...
»Cisco Releases Security Updates
Original release date: June 30, 2016 Cisco has released security updates to address vulnerabi ...
»Symantec Releases Security Updates
Original release date: June 29, 2016 Symantec has released security updates to address vulner ...


Date published: not known
Details

»It's 2016. Can we stop using MD5 in malware analyses?
While there are no actually risks involved in using MD5s in malware ...
»Throwback Thursday: Holding the Bady
In 2001, ‘Code Red’ caused White House administrators to change the ...
»Paper: The Journey of Evasion Enters Behavioural Phase
A new paper by FireEye researcher Ankit Anubhav provides an overvie ...
»Guest blog: Espionage toolkit uncovered targeting Central and Eastern Europe
Recently, ESET researchers uncovered a new espionage toolkit target ...
»Avast acquires AVG for $1.3bn
Anti-virus vendor Avast has announced the acquisition of its rival ...
»Throwback Thursday: You Are the Weakest Link, Goodbye!
Passwords have long been a weak point in the security chain, despit ...
»Paper: New Keylogger on the Block
In a new paper published by Virus Bulletin, Sophos researcher Gabor ...
»BSides Denver to take place the day after VB2016
VB2016, the 26th International Virus Bulletin conference, is an exc ...
»VB2015 paper: DDoS Trojan: A Malicious Concept that Conquered the ELF Format
In their VB2015 paper, Peter Kálnai and Jaromír Hořejší look at the ...


Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» Google Releases Security Update for Chrome
[21 Jul 2016 11:27am]

» Cisco Releases Security Update
[20 Jul 2016 10:29am]

» Oracle Releases Security Bulletin
[19 Jul 2016 04:07pm]

» Drupal Releases Security Advisory
[18 Jul 2016 03:23pm]

» Apple Releases Multiple Security Updates
[18 Jul 2016 03:13pm]

» Cisco Releases Security Updates
[14 Jul 2016 07:09am]

» Microsoft Releases Security Updates
[12 Jul 2016 05:06pm]

» Adobe Releases Security Updates
[12 Jul 2016 10:55am]

» Cisco Releases Security Updates
[30 Jun 2016 05:35am]

» Symantec Releases Security Updates
[29 Jun 2016 09:40am]

***
US-CERT Alerts

» TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities
[05 Jul 2016 08:50am]

» TA16-144A: WPAD Name Collision Vulnerability
[23 May 2016 05:38am]

» TA16-132A: Exploitation of SAP Business Applications
[11 May 2016 05:31am]

» TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
[14 Apr 2016 01:48pm]

» TA16-091A: Ransomware and Recent Variants
[31 Mar 2016 04:00pm]

» TA15-337A: Dorkbot
[03 Dec 2015 04:40pm]

» TA15-314A: Compromised Web Servers and Web Shells - Threat Awareness and Guidance
[10 Nov 2015 06:12pm]

» TA15-286A: Dridex P2P Malware
[13 Oct 2015 05:23am]

» TA15-240A: Controlling Outbound DNS Access
[28 Aug 2015 11:31am]

» TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations
[01 Aug 2015 04:01pm]

***
Computerworld Security

» Flaw with password manager LastPass could hand over control to hackers
[27 Jul 2016 02:22pm]

» Trump to Russian hackers: Help find Hillary Clinton's emails
[27 Jul 2016 12:30pm]

» Rival gang leaks decryption keys for Chimera ransomware
[27 Jul 2016 11:52am]

» 7 strategies to avoid CSO burnout
[27 Jul 2016 09:29am]

» KeySniffer: Hackers can snag wireless keyboard keystrokes from 250 feet away
[27 Jul 2016 07:31am]

» Surefire security fail: One. App. At. A. Time.
[27 Jul 2016 05:00am]

» FBI to lead nation's cyberattack responses
[26 Jul 2016 02:21pm]

» SMS-based two-factor authentication may be headed out the door
[26 Jul 2016 01:26pm]

» Kimpton Hotels is investigating a possible payment card breach
[26 Jul 2016 11:26am]

» Verizon's Yahoo deal creates a tracking powerhouse
[26 Jul 2016 11:01am]

» Cyberespionage group sets its sights on multiple industries
[26 Jul 2016 09:12am]

» U.S. and EU tech companies at sea with end of data Safe Harbor
[26 Jul 2016 06:25am]

» Cybersecurity firm offers users reimbursement for ransomware infections
[26 Jul 2016 05:57am]

» FBI probes DNC hack for Russian involvement
[25 Jul 2016 06:26pm]

» Here are the key security features arriving with Windows 10 next week
[25 Jul 2016 04:19pm]

***
Microsoft Security Advisories

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

» 3155527 - Update to Cipher Suites for FalseStart - Version: 1.0
[10 May 2016 11:00am]

» 3152550 - Update to Improve Wireless Mouse Input Filtering - Version: 1.1
[22 Apr 2016 11:00am]

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 11:00am]

» 2871997 - Update to Improve Credentials Protection and Management - Version: 5.0
[09 Feb 2016 11:00am]

» 3123479 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 1.0
[12 Jan 2016 11:00am]

» 3109853 - Update to Improve TLS Session Resumption Interoperability - Version: 1.0
[12 Jan 2016 11:00am]

» 3118753 - Updates for ActiveX Kill Bits 3118753 - Version: 1.0
[12 Jan 2016 11:00am]

» 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 53.0
[05 Jan 2016 11:00am]

» 3057154 - Update to Harden Use of DES Encryption - Version: 1.1
[08 Dec 2015 11:00am]

» 3123040 - Inadvertently Disclosed Digital Certificate Could Allow Spoofing - Version: 1.0
[08 Dec 2015 11:00am]

» 3119884 - Inadvertently Disclosed Digital Certificates Could Allow Spoofing - Version: 1.0
[30 Nov 2015 11:00am]

» 3108638 - Update for Windows Hyper-V to Address CPU Weakness - Version: 1.0
[10 Nov 2015 11:00am]

» 3097966 - Inadvertently Disclosed Digital Certificates Could Allow Spoofing - Version: 2.0
[13 Oct 2015 11:00am]

» 3042058 - Update to Default Cipher Suite Priority Order - Version: 1.1
[13 Oct 2015 11:00am]

***
WIRED

» Trump Asks Russia to Dig Up Hillary’s Emails in Unprecedented Remarks
[27 Jul 2016 11:49am]

» Here’s What We Know About Russia and the DNC Hack
[27 Jul 2016 07:30am]

» WikiLeaks Has Officially Lost the Moral High Ground
[27 Jul 2016 06:00am]

» Radio Hack Steals Keystrokes from Millions of Wireless Keyboards
[26 Jul 2016 07:30am]

» 11 Police Robots Patrolling Around the World
[24 Jul 2016 05:00am]

» The KickassTorrents Case Could Be Huge
[22 Jul 2016 07:00am]

» How the Republican Convention Fends Off Hackers
[21 Jul 2016 07:55am]

» Snowden Designs a Device to Warn if Your iPhone’s Radios Are Snitching
[21 Jul 2016 07:01am]

» How the RNC Would Handle a Worst-Case Scenario Like a Bio or Chemical Attack
[21 Jul 2016 05:00am]

» Now You Can Hide Your Smart Home on the Darknet
[20 Jul 2016 02:57pm]

***
Network World Security

» Flaw with password manager LastPass could hand over control to hackers
[27 Jul 2016 02:05pm]

» Kaspersky researchers love “Mr. Robot” hacker but claim no Snowden ties
[27 Jul 2016 12:37pm]

» Donald Trump encouraged Russia to hack Hillary Clinton's email
[27 Jul 2016 12:12pm]

» Russian involvement in DNC WikiLeaks email heist unproven
[27 Jul 2016 11:26am]

» Review: Promisec goes the extra step to secure PCs
[13 Jul 2016 06:21am]

» 4 tools for managing firewall rules
[07 Jul 2016 11:03am]

» 10 advanced endpoint protection tools
[05 Jul 2016 04:00am]

» How to buy endpoint security products
[05 Jul 2016 04:00am]

» 7 trends in advanced endpoint protection
[05 Jul 2016 04:00am]

» 10 cutting-edge tools that take endpoint security to a new level
[05 Jul 2016 04:00am]

» Buyer’s Guide to 9 multi-factor authentication products
[06 Jun 2016 04:00am]

» 5 trends shaking up multi-factor authentication
[06 Jun 2016 04:00am]

» 9-vendor authentication roundup: The good, the bad and the ugly
[06 Jun 2016 04:00am]

» Kaspersky researchers love “Mr. Robot” hacker but claim no Snowden ties
[27 Jul 2016 12:37pm]

» Donald Trump encouraged Russia to hack Hillary Clinton's email
[27 Jul 2016 12:12pm]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}