Your Money or Your DataRobert Lemos
In the summer of 2008, a particularly nasty piece of code started spreading among computers in Russia and Europe. Known as GPCode, the program was designed for a specific mission: infect the system, find more than 130 different file types on the hard drive, encrypt them and deleted the originals.
In essence, the program kidnapped a victim's data. And like any proficient kidnapper, the program left behind a note.
"Your files are encrypted with RSA-1024 algorithm," read a message on the screen. "To recover your files, you need to buy our decryptor."
The program, also known as GPCoder to some security firms, is part of a class of threats dubbed ransomware, where cybercriminals attempt to extort money from unwary PC users. Although these are not as popular schemes as adware or rogue antivirus, every year a handful of new attacks plague unwary users.
"You can see the appeal to the bad guys," says Kevin Haley, director of Symantec Security Response. "I can send this [malicious program] out to a thousand people, and they can buy my product to solve" the problems it causes.
Last year, for example, a hacker created a program known as Ikee that would search and infect modified versions of Apple's popular iPhone. The program targeted only a small fraction of users: Those who customized their iPhones, in a process known as jailbreaking, to allow them to circumvent the restrictions put in place by the manufacturer. Unfortunately, the process also reduces the phone's security.
Enter Ikee. The program spread among jailbroken iPhones through the devices' wireless networking capabilities, leaving behind a ransom note on the victim's device: "Your iPhone's been hacked because it's really insecure! Please visit [website name] and secure your iPhone right now!" The website, deleted from this article, told the user to send 5 euros via Paypal to get a message instructing them how to secure the phone.
Is your data worth it?
If nothing else, ransomware has the virtue of being direct. For most cybercriminals, the key measure of any scheme is how easily control of a victim's computer can be turned into cash. Ransomware attempts to directly charge the victim to eradicate the malicious code from their compromised system.
Yet, the effectiveness of the scheme is questionable. “Daniel Robertson,” the name used by the creator of GPCode, boasted that the consumer-focused attack was profitable.
"It well pays back itself," he said in an email interview with this reporter in 2008.
A programmer for six years, "Robertson" only started authoring malicious programs and viruses three years before working on GPCode, he said. He did not create the original program, which had been infecting systems since 2005, but he did modify the latest code to include better encryption, he claimed.
Security professionals, however, question whether ransomware schemes can profit their creators.
"I am not entirely convinced that [ransomware schemes] are easy to monetize," says Roel Schouwenberg, senior researcher at antivirus firm Kaspersky. "It's easier to do other stuff."
For one, ransomware is risky. While it's difficult to pinpoint the source of a cyberattack, tracking money through cyberspace is an easier task, and that means digital kidnappers have to worry about getting caught.
"One of the biggest problems with ransomware is that you have to pay the ransom," says Symantec's Haley.
Cybercriminals have tried different methods of transferring money to minimize the telltale evidence that could lead authorities to their doorstep. GPCode used online money-transfer sites such as Liberty Reserve and E-gold to accept payment from victims. More recent schemes, such as Ikee, utilize premium SMS messages to send money to the ransomer.
A lack of trust
Yet getting caught is not the biggest problem for ransomware scams -- it's getting paid, which boils down to a lack of trust. Unsurprisingly, users do not like to pay criminals who have just compromised their computer.
Infecting a victim's computer immediately makes the user question the ransomer's promise of a fix, says Kaspersky's Schouwenberg.
"They are being forced, being coerced into a situation," says Schouwenberg. "There is a lot of distrust [on the part of] the victims, because they have lost access to their computer or their files."
To solve the problem of trust, cybercriminals are moving away from traditional ransomware to a hybrid scheme.
Similar to a run-of-the-mill ransom scheme, the fraudsters first infect a victim's computer with a program that corrupts the data. Rather than demanding money, however, the program displays a dialog box to tell the user they are infected with a particular virus or worm. By searching for that name, the user will find a second, seemingly unrelated company, which offers a way to remove the malicious software. Unbeknownst to the user, the second company is also owned by the original attacker.
A program known as "Vicrypt," discovered by security firms in October, followed just this recipe. Computers infected with the malicious program would have critical files encrypted and a message displayed: "viCrypt: A problem occurred. Please Restart Windows." Searching online for "Vicrypt" would lead to a company offering a fix.
"It created a disconnect, so you may not have thought that the guys selling the solution were also responsible for the problem," says Symantec's Haley.
To avoid becoming a victim of ransomware, users should ensure that their operating system, major applications and antivirus software is up to date.
If you do become a victim, don't pay the ransom. In many cases, security companies will have already found a way to break the encryption scrambling your data. And much of the time, the tool is offered for free.
Copyright (c) 2010 Studio One Networks. All rights reserved.