IT Jobs
AV firm seeks help cracking ransomware key
Backup your data. Crypto Trojans are back.
By Gregg Keizer, Computerworld (US)
Published: 15:33 GMT, 09 June 08
A security company has asked for help cracking an encryption key that is central to an extortion scheme which demands money from users whose PCs have been infected by malware.
Kaspersky Lab, a Moscow-based antivirus firm, put out the call last week for assistance after it discovered a new variant of Gpcode, a Trojan horse that has been used in isolated "ransomware" attacks for the past two years.
In ransomware attacks, hackers plant malware that encrypts files and then displays a message demanding money to unlock the data. In the case of the newest Gpcode, 143 different file types are encrypted, including .bak, .doc, .jpg and .pdf. The encrypted files are marked by the addition of "_CRYPT" in their file names, and the original unencrypted files are deleted. As a camouflaging move, Gpcode also tries to erase itself.
Finally, the ransom note appears on-screen. "Your files are encrypted with RSA-1024 algorithm," it begins. "To recovery [sic] your files you need to buy our decryptor. To buy decrypting tool contact us at: xxxxx@yahoo.com."
Last Thursday, a Kaspersky analyst identified as "VitalyK" said that although the company had analysed samples of Gpcode, it wasn't able to decrypt the files the malware encoded. "We can't currently decrypt files encrypted by Gpcode.ak," said VitalyK in an entry to the company's research blog. "The RSA encryption implemented in the malware uses a very strong, 1024-bit key."
According to Kaspersky's write-up, the key is created by Windows' built-in cryptographic component, Microsoft Enhanced Cryptographic Provider. Kaspersky has the public key in hand - it is included in the Trojan's code - but not the associated private key necessary to unlock the encrypted files.
Two days later, another Kaspersky researcher asked for help. "Along with antivirus companies around the world, we're faced with the task of cracking the RSA 1024-bit key," said Aleks Gostev, a senior virus analyst. "This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key." Gostev provided the public key in his posting.
"So we're calling on you: cryptographers, governmental and scientific institutions, antivirus companies, independent researchers," said Gostev. "Join with us to stop Gpcode."
One rival researcher, however, took exception to the call to arms. In a message posted to Kaspersky's support forum, Vesselin Bontchev, a Bulgarian researcher who works for Frisk Software, an Icelandic antivirus company, called it a stunt.
"What is proposed here is an unrealistic, useless waste of time that will fail," said Bontchev, who also charged that Kaspersky's estimate of the computing time it would take to break the key was optimistic. "The only use of this project is for generating free publicity for Kaspersky Labs."
A Kaspersky employee identified as "Codelancer" replied, thanking Bontchev for his opinion, but then closed the thread. Kaspersky Labs' US-based public relations representative wasn't available Sunday for additional comment.
The company has had success in the past breaking Gpcode's encryption keys, however. Two years ago, when the ransomware Trojan first appeared, Kaspersky's researchers were able to crack the 660-bit key, but only because the malware's maker had made mistakes implementing the encryption algorithm. Gpcode also reappeared last summer, locking the encrypted files with what its maker claimed was a 4096-bit RSA key.
Kaspersky told users that backing up their data is the surest way to sidestep ransomware scams. "That way, if you do fall victim to Gpcode and your files get encrypted, at least you won't have lost any valuable information," said a third Kaspersky analyst, David Emm.
Add your commentComments
abc data recovery | Published: 03:09 GMT, 15 June 2008
wow ! I really was irate. Kaspersky I respect the many years of research and dedication you have put into writing the books I have read of yours and hope I have benefited from:- if it helps to explain my irate spewings, I was really looking forward to helping with a genuine challenge ! oh well back to work .... I hope no-one ever reads this ? Sorry Intel your advert seems to have been pushed down the page. It needs repositioning. I really am gone, sorry for the lack of puntuation, spell checking, virus checking or encryption in my posts.
abc data recovery | Published: 02:51 GMT, 15 June 2008
missing grant money ? .... well thats another story ..sorry to have wasted your time if you have read this but time is precious, I might as well use it for my own publicity being as I am here at 2:30AM GMT on a Sunday morning expecting to be looking into a challenge.... abc data recovery nothing better to do than............ sorry back now where was I forgot, I need help ! anyone know how to crack this code with a ZX80 :-) MY APOLOGIES to all mentioned within, I hope the writer and or Kaspersky will also apologise for this wasteful cyber-space filler. If any one has some more interesting challenges we are looking for any hard drives were in communications satellites, or any space rockets (any nationality)that have fell from the edge of space (I only know of one) I will pay well for the marketing generated by recovering the data. (anyone care to comment !) bye! (sorry no more time to waste)
abc data recovery | Published: 02:38 GMT, 15 June 2008
perfect recovery of the drive, but cracking the encryption well it would be just a waste of time as is this news item that brought me here with an interesting headline in the first place is, it is only another non event, it is a good job I had not just emailed all my staff opened up 3x42u racks of dell 2950 dual quad core processors signed off for programming and processor time then logged on to my electricity provider to arrange additional power (drat what was the password?) ... well you can see how upset I am that Kaspersky would use this as a marketing scam.... seems too much like digg digg the missing EMAK (DiskMaster) claimed to be ready after 4 years of development and substantial grants I could not get and yet a competitor 6 months ago announced on the net DiskMaster to be ready QTR 4 2007 for general release to an eager Data Recovery industry --- no sign 6 months later .. well not quite the page was replaced by something else, but where is the
abc data recovery | Published: 02:35 GMT, 15 June 2008
as the owner of a data recovery company that sees drives 24 /7 with data corrupted apparently by viruses, more often it is just forgetfullness of a password or degradation of the drive surface... and here lies the dilemma we are all having to keep track of passwords we are continually updating, varying and forgetting, and here at last is my point,(he says with a fiendish smile in the vein of how this story heading is wasteful of precious time-- let me rant some more -- I’ll have some coffee you read if you can put up with it) one day we will be protecting our passwords with unbreakable levels of encryption, it won't matter how hard any of us in our anger throw the laptop at the wall in frustration at being locked out of our secure online storage repository, calling on my data recovery and hard drive repair technicians will no doubt give the drive new heads and careful scanning around the damaged areas of the drive surfaces where the heads had landed will result in a near
abc data recovery | Published: 02:21 GMT, 15 June 2008
free publicity is often the key to such calls to arms. But I was attracted by the lead heading on another more interesting site, but the challenge brought me here! .. I just rarely see one I dare put my spare time and resources to... as I say to my staff .... believe it or not money is not the real problem .... time is .... if you need something quickly then be prepared it takes money, if you don't mind waiting sooner or later it will cost money so time is not to be wasted or it will cost the customer money, in this case as readers we are the customers nay consumers and as you read on you will see I am angry at such a waste of time so stop reading now if you do not want more time wasted, and put them back to where they were without wasting to much of their life or their money , surely this article should have said this is a marketing article meant for people with nothing better to do)