Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Ransomware resisting crypto cracking efforts
Robert Lemos, SecurityFocus 2008-06-13

Story continued from Page 1

The problem is not going to get any easier.

A person, presumably the author of Gpcode, contacted at one of the e-mail addresses left behind by the program stated that future development efforts will likely increase the key size to 4,096 bits, "if AV companies or other (people) crack the current key, but (that's) impossible."

The self-proclaimed author, who used the name "Daniel Robertson," also said that other standard techniques to defeat antivirus will be added, including polymorphic encryption, anti-heuristic features and the ability to self propagate, turning the program into a computer virus.

Although extortion is not an uncommon way for online criminals to turn their illicit activities into cash, the usual technique has been the online equivalent to a protection scam -- first attacking an online site and then requesting payment to the attack to go away. Encrypting a users files and demanding payment for a key has, until now, been fairly ineffective.

This week, Kaspersky made available an add-on tool to help recover files by undeleting the data from a users' hard drive and searching for the names of the deleted files. The effectiveness of the process is typically dependent on a variety of factors, including how much free space is on the hard drive and the degree to which the victim used their computer since Gpcode encrypted the data.

For users, however, the best defense is to back up their data, and not just to an external hard drive, but to some removable storage or offsite service, said researcher Bontchev.

"The most reliable solution is backups," he said. "Treat such viruses the same way you treat data corruption viruses."

Yet, Bontchev did not hold out much hope that users will learn to better protect their data.

"It is very difficult to catch the attacker, and if user education was ever going to work, don't you think it would have worked by now?" he said.

While the writers of Gpcode took a two-year hiatus between the last version of program and the most recent one, the extortionists are unlikely to stop. "Robertson," who claimed not to be the original author of Gpcode, said development will continue in the future, because the scheme makes money.

"It well pays back itself," he said.

If you have tips or insights on this topic, please contact SecurityFocus.

    Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus