Techniques in ransomware explained

Filed Under: Malware, Ransomware, SophosLabs, Vulnerability

RansomRansomware is malicious software that attempts to extort money out of unsuspecting users, normally by locking them out of their machines. This isn’t the first time (or even the second) that we’ve seen such malware in the last few months, but lately there has been a trend of a more sinister type of ransomware.

Instead of simply employing tricks to lock you out of your computer, crypto-ransomware holds your files (documents, photos, music, movies, etc.) hostage by encrypting them. This makes remediation a lot more difficult than just removing the malicious infection, as your files also need to be decrypted.

Last week, SophosLabs saw new ransomware samples employing this technique. On infection, the malware searches for specific types of files (using a list of over 110 file extensions; .doc, .jpg, .pdf, etc), encrypts them, and renames the now unreadable file with a .BLOCKAGE extension. The following ransom message is then displayed to the user:

All your personal files (photo, documents, databases) have been encrypted by a very strong cipher.
You can check this by yourself - just look for files in all folders.
There is no possibility to decrypt these files without a special decrypt program.
Nobody can help you - even don't try to find another method or tell anybody.
We can help you to solve this task: send your request on this e-mail:
Attach to message a full serial key shown below in this ('HOW TO DECRYPT FILES.TXT') file on desktop.
And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.
Only we can decrypt your files!

As all your files are being encrypted, the malware also calls home and transmits a copy of the serial key to one of their command-and-control servers.

The scary part here is that they aren’t lying when they say that only they can decrypt your files. In fact, the malware makes use of some nifty public-key cryptography which is the same “one-way” (asymmetric) encryption that lets you safely shop online and access online banking.

The malware generates a unique encryption key randomly every time it infects a computer, which it uses to encrypt your files (using the AES-256 “military grade” cipher algorithm). It then encrypts this using their public key.

The result of this becomes the unique serial key which is displayed to the user.

Unfortunately this means that only someone with their private key can decrypt the serial to get the key used to encrypt your files. To try and recover the private key required from just the public key alone (RSA 1024 bit) would most likely take millions of pounds of computation hardware and time and still probably wouldn’t be finished by the time I graduate from University (2 years’ time).

While the cryptography being used here to hold your family holiday photos/retro music collection/letters from your girlfriend to ransom is very sophisticated, further analysis of the malware itself reveals it to be not so smart. In fact, I would go as far to say the samples that I have seen are the work of an amateur malware author.

The majority of the malware code is not packed or protected in any form like I have come to expect from any sophisticated malware. Additionally, there are several very unique strings present that serve no real purpose – in particular the string “Graciliraptor!” seen in packet captures from some samples.

Perhaps this is the author’s online persona, or a graffiti-esque ‘tag’ taken from the name given to a genus of theropod dinosaur from the early Cretaceous Period, meaning “graceful thief”. Either way, it makes detection of these malware samples a lot easier!

So the really worrying part here is that if this is indeed the work of a malware author wannabe, they have been able take advantage of some very clever crypto to wreak havoc on your system.

They do not even need to code these algorithms themselves; they can just use the crypto libraries (Microsoft Cryptographic API or equivalent) already present on your computer!

Paying the ransom is not recommended, and doesn’t even guarantee you will get your files decrypted. To me, this only emphasises the importance of having up-to-date anti-virus, and regular backups of important documents - just in case.

, ,

You might like

34 Responses to Techniques in ransomware explained

  1. Freida Gray · 1078 days ago

    Does this encrypt the things in your e-mail program too,or does it just affect what you've downloaded onto your computer?

    • John · 1078 days ago

      It usually encrypts all files which therefore includes emails.

      • Guest · 1078 days ago

        It does NOT encrypt all files. Just those with certain extensions.

  2. Tim · 1078 days ago

    The thing that really disturbs me about this ransom ware is the level of active human involvement in it. Not implying, of course, that malware authors aren't always involved in the process, but this attack is asking you to potentially open a dialog with the person whom has infected your system and encrypted your files, which to me is very odd. Any notes on the most common methods of infection?

    • JimboC · 1078 days ago

      "Any notes on the most common methods of infection?"

      Very good point that you have raised. I would also be interested in this.

      Presumably Sophos protects against this kind of malware at this time? The author did not mention what signatures are used to detect this malware i.e. the malware's signature name used by Sophos.


  3. Chadd · 1078 days ago

    This isn't exactly new. I wrote up an article about an attack using this a month ago for a local hospital, and a quick google search shows this problem back in 2010 with GpCode.

    • Fraser Howard · 1078 days ago

      Indeed. I think the more important point is the trend towards more ransomware 'doing things properly' (in this case encrypting files such that recovery requires the private key).

  4. Rich · 1078 days ago

    IIRC this was the action taken by one of the very earliest pieces of malware. It arrived on 5-inch floppy disks and you were required to send money to some address in South America to get your files back. I seem to remember the guy was eventually caught.

    We're talking 20+ years ago so maybe not a new trend happening 'lately'.

    • Julian Bhardwaj · 1078 days ago

      Are you referring to the PC Cyborg/AIDS virus? I think there difference here is that the PC Cyborg virus weakly encrypted the file names (and set the hidden attribute), whereas now ransomware is using very sophisticated cryptography to encrypt the actual contents of files.

    • Paul Ducklin · 1078 days ago

      You're talking about the AIDS Information Trojan, by Dr Joseph Popp. (He was caught, extradited from the USA to the UK, eventually found unfit to be in the UK after his remand and trial had rambled on for a year or so, and booted back to the USA.)

      That malware - the first ransomware I know of - was quite different. It used a simplistic algorithm to encrypt just the file and directory names on your PC, with the same key on every computer. Free tools to reverse the scrambling soon appeared.

      Using a different key for each PC (and using proper crypto) means that in this case, as @DaveEwart points out below, you need to treat the infection as a hard drive failure. There's no simple, generic, cure like there was with the AIDS Info Trojan...

  5. Eldad · 1078 days ago

    Thank you Julian.
    Interesting and scary, but 3 questions remain:
    1. How to prevent such infection?
    2. Are antivirus programs preventing (stopping) such infections.
    3. What to do if it actually happens?


  6. TomM · 1078 days ago

    Eldad - 3 is easy - remove the malware (ideally having wiped and reinstalled the operating system first) and use your up to date backups (you do have up to date backups, don't you?) to recover your important files, then you don't need to enter into a conversation with the malware writer or take the chance that he'll let you decrypt...

    • Guest · 1078 days ago

      People who rely heavily on their computers will find that your solution is NOT easy.

      1) If you wipe the hard drive PROPERLY, you'll have removed the malware in any case.

      2) Restoring the OS is only the first step. You also have to re-install and re-configure the applications. Assuming that you have the master files for the OS (usually built into a protected partition on the hard drive) and the apps, this takes time and a certain amount of skill not found with most consumers.

      Don't say it's easy just because you can do it. In this area, most users cannot.

  7. @DaveEwart · 1078 days ago

    Victims should treat such an incident as a hard drive failure, that is to consider everything on the machine lost. Thus, measures which are used to cope with (potential) hard drive failures are appropriate here. Typically, this means having backups.

    • Guest · 1078 days ago

      If you think having backups is a complete solution, you don't understand the problem.

      • @DaveEwart · 1075 days ago

        Backups are the primary means of recovering your files when they suddenly become unavailable to you. Everything else (re-image the PC, whatever) is just house-keeping. The risks of a HDD failure and the risk of an encrypting-virus denying you access to those files have similar mitigation procedures, namely backups.

  8. Keith · 1078 days ago

    Most common source: infected websites.

    Have just sorted out three different customers with the Ukash trojan ("Police Virus") and all three had been accessing porn online. There's a lesson here somewhere...

    Not only recommend good quality anti-virus (although it seems to not be that effective) but also AdBlock on either Firefox or Opera and, if you are savvy enough, NoScript. It is the active content on websites that does the damage.

    • Guest · 1078 days ago

      The Ukash trojan doesn't just infect pron sites. It can infect poorly-protected "legitimate" websites, so there's really no lesson.

  9. Mark · 1078 days ago

    OpenDNS is also an option for helping with the website infections. It does this by not resolving websites known to download malware.

  10. George · 1078 days ago

    @DaveEwart - Is it as simple as dealing with it as a hard drive failure? Will it not also encrypt files on a connected USB hard drive with automatic backup? So in fact the only true security would be the alternate external hard drive that is not connected, but stored in the separate fire safe. Then only a week's worth or so of files are lost.

    • @DaveEwart · 1075 days ago

      Well, 'backups' on a connected USB drive are always at risk of Anything You Do On The PC. Backups are safest held externally, unconnected, yes. This is less convenient, but it's safer. As with everything, this is a trade-off.

  11. @jacksimon67 · 1078 days ago

    Does this malware also try to encrypt files on an external drive that may have been used for backup?

    • @julianbhardwaj · 1074 days ago

      I believe this particular sample did infect removable drives as well as writable network shares - offsite/cloud backups are the way forward.

  12. Jack · 1078 days ago

    I would add "Contact the police", even though they probably can't offer any assistance they can at least add this crime to the list of computer crimes. As crimes MO becomes repetitive, police are good at catching these people, even high tech crimes, so I would insist that the police are contacted.

    [Post edited for length.]

  13. Zack · 1077 days ago

    While reading this blog, im actually excited to see how the sample mentioned in this blog can be decrypted manualy, because the writer mentioned that the malware did not implement a good technique or not packing the malware, the malware author is just a wanna be, the string “Graciliraptor!” is identified and the writer keeps mentioning about "this is easy".

    Im hoping for this case, the writer has actually made to the point where he/she was able to decrypt or obtain the private key because for sure it should have a copy of the private key somewhere in the machine. Bottom line, the issue be fixed by manually decrypting it

    or this is just the part 1 of the story?

    • Robert · 1073 days ago

      The private key is not stored anywhere in the malware or on the infectecd machine. Only the attacker holds the private key. That is how the ransom works: The attacker offers to send you the key if you pay the ransom.

      Since paying the ransom is not recommended (not least because it would encourage more of these attacks) and brute force cracking would require several years of super computing, the only other alternative is to accept that the files are unrecoverable and to restore from backups.

  14. IRON67 · 1077 days ago

    To me, this only emphasises the importance of having up-to-date System, Browser and - more important - up-to-date PLUGINS cause in older versions they open the way for drive-by-infections.

    An up-to-date anti-virus is nearly completely useless. New ransomware variants comes quickly and will not be recognized by more then 2 or 3 scanners of 41 (virustotal).

  15. Rory · 1077 days ago

    I keep all my personal data on an external HD which is never turned on when im online. So even if this ransomware got onto my machine id simply format the HD and wipe everything. I format my HD every few monhs anyway to get rid of all the junk it builds up. Also have a spare HD just incase. So im not one bit worried over this.

  16. Mark Sitkowski · 1076 days ago

    @Keith: When you say 'infected websites', do you mean websites that belong to the criminal, or is this malware capable of being hidden on a legitimate website? (As webmaster, I'd like to know if I need to take extra precautions)

  17. Guido Faulkes · 1074 days ago

    I call bullshit on this. They provided an e-mail address, because they need to be in contact with you for two-way comms to receive requests and send back decrypt keys in exchange for ransom money. Tor cipher maze does not mean anything, as the Echelon system has end to end message tracking capability, able to spot where the particular message comes in the maze and finally emerges. Just need to convince NSA that it is important to nail cyber criminals.

    If you cannot, it is still trvially easy to send a faux submission e-mail, where an AV researcher posing as a victim sends a mail about being willing to pay, with an attached PDF with a JPEG screenshot inside, of the ransom message screen photo'ed. The PDF/JPEG shall contain attack code that, on opening, backdoors the cybercrooks' computer and reveals its location, plus exfiltrates the master private key for amassed decryption ability. Then please display a suprise message to the hacker for fun: "Greetings from Mossad, please write your last will!"

    Also, the flow of ransom money can be tracked and lead to the hackers.

    • Robert · 1073 days ago

      > Also, the flow of ransom money can be tracked and lead to the hackers.

      Not so easily thanks to the rise of certain online payment systems. That is the main reason why we have only recently begun to see this type of attack. The idea is not new at all - as already mentioned it was done 20 years ago, but the guy got caught.

      A few years ago a payment-by-phone scheme in Russia made it easy to recieve payments anonymously. Very soon ransom schemes started to exploit this. The west had to wait a couple more years, but once again as soon as anomymous payment systems became sufficiently mainstream ransomware appeared. No surprises there.

  18. hotboxdp · 772 days ago

    My computer has become infected with the Dirty Decrypt virus which has encrypted most of my files along with my backup files on an external drive. In total, 4 drives are affected. I would gladly pay whoever to get my files back. Only thing is I can't find out where to send the ransom since I removed the virus!

  19. Anonymous · 452 days ago

    any update how about to decrypt file after infected criptolock??

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Julian Bhardwaj is currently a student at the University of Warwick studying for an undergraduate degree in Discrete Mathematics. As a self confessed crypto-geek, he has a passion for all things security related.