Data lock

Ransomware not all it’s cracked up to be

Pro
Image: Stockfresh

5 August 2015

All ransomware is not created equal and therefore should not be universally feared, according to one researcher. In fact, some ransomware, which locks up infected computers until a demanded sum is paid, makes false claims about the damage it is capable of doing, and some of the data it purports to seize can be recovered, says Engin Kirda, the cofounder and chief architect at Lastline Labs.

For example, certain families of ransomware threaten to delete files, but the method they use to do so does not securely wipe them from the disk, he says, and as a result, “there is a good chance that the deleted files can be recovered.”

Some ransomware, notably Cryptolocker and Cryptowall, do a good job of encrypting data until victims pay to get it decrypted, he says. “However, many other ransomware families also exist that do a bad job in cryptography,” wrote Kirda in a white paper.

Kirda found a variant of Gpcode ransomware that used a static key that can be recovered by comparing the encrypted files to the originals and unlocking the encryption. Similarly, TeslaCrypt said it was using asymmetric RSA 2048 encryption, but it was not. Instead it used symmetric AES encryption, and that has been successfully broken, he says. “Don’t assume ransomware means everything is gone forever,” he says.

In a corporate environment a good way to stop ransomware is to catch it at a security gateway before it has the chance to infect endpoints, Kirda says. That can be done because the malware has to perform certain detectable functions in order to do its damage. It has to repeatedly work on files in different drives and directories, something that can be readily detected when a ransomware sample is being analysed. And ransomware announces itself to the victim in order to demand payment. That, too, is a feature that is apparent under analysis, he says.

Kirda looked at 1,359 active ransomware samples that were observed in the wild between 2006 and 2014. Of those, 61% only targeted the desktop of victim machines, not any documents in the file system. They used a mix of custom and standardised encryption systems, such as CryptoAPI in Windows systems. “After all these libraries are widely available, and they are easy to use,” he says.

 

 

Tim Greene, IDG News Service

Read More:


Back to Top ↑

TechCentral.ie