The return of ransomware

Ransomware is nothing more than a virtual stick-em-up.

Ransomware is nothing more than a virtual stick-em-up. You download malware, which encrypts files on your computer. Then the malware delivers an extortion message: Pay us cash and well give you access to your files again. The technique gained a moment of notoriety in 2006 when one such attack managed to make the news. This past summer ransomware returned. This time, the criminals have added a strong dose of social engineering to the attack.

The actual Trojan that encrypts files and delivers the ransom note is dubbed GPCode, or alternatively, Sinowal. It demands $300 in exchange for the key to decrypt your files. Failure to pay will result in the files being published on the Internet, according to the threatening note. Whats more, the note says, the files have been encrypted using an algorithm called RSA-4096, and it includes a link to an article about the technology that notes that RSA-4096 is virtually unbreakable.

But, according to security researchers, its all a bluff, the virtual equivalent of jabbing your finger through your jacket pocket and claiming you have a gun. GPCode does not actually take any files to publish on the Internet, and the encryption it uses is relatively easily cracked by professionals.

The goal of the bluff is to terrify someone with the prospect of being unable to access critical files. The relatively low amount of cash the extortionists demand is further meant to facilitate the transaction, creating in the victims mind an easy trade-off; it seems like a pittance next to a ruined career.

The newfound ability of hackers to create mass distribution of their malware through spam and iFrames allows them to ask for less money from more victims, increasing the likelihood that any one victim will pay.

Experts suggest you never capitulate, especially before analyzing the situation with a team that includes security researchers, encryption experts and perhaps security experts skilled in negotiation and extortion threats. And dont buy into the hype of a few sensational news reports. Experts believe that ransomware, while a real threat, is but one tree in the forest of risk and probably gets more press than it warrants because it makes for good reading. What should warrant attention is a new development, something widespread, or something causing severe devastation, says security researcher Jose Nazario. Ransomware, he notes, is 0-for-3 on those criteria.

GPCode has already come and gone. Another ransomware attack will probably come along. Remember, its probably just the guys finger jabbing into your back. Scott Berinato

What to Do If Youre Hit with Ransomware

1. Dont panic. Its natural to freak out when important files go missing, especially when someone is claiming to have the power to publish them on the Internet. Dont panic. Lead.

2. Dont pay. Paying extortion fees only invites more extortion. Payment should be a final, desperate option and only when negotiation experts say its your best option.

3. Assemble a team. Include encryption experts who might be able to unlock the files, security researchers who can look for the source of the attack and troll for intelligence, and someone skilled in negotiation if the situation becomes more serious or the attackers try to establish contact.

4. Create awareness. One of your biggest threats in this situation is an emotional user who thinks his career and/or life can be ruined by this development. Make sure users dont act on their own behalf, and create an environment to help them contain what is sure to be an emotional response to the ransomware attack.

S.B.

Copyright © 2007 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!