EXTORTION, one of the oldest crimes in the book, has taken on an alarming technological twist. The FBI is warning that computer-savvy criminals have designed a virus that encrypts documents stored on a PC until the owner pays a ransom to unlock them. While the virus has so far only used weak encryption that is easily overcome, the fear is that it could be made tougher and start demanding large sums of money.
“The virus searches a victim’s hard drive and encrypts any text-based documents it finds”
The virus searches a victim’s hard drive and encrypts any text-based documents it finds there. The existing version then displays a ransom note that demands $200 for supplying the software that will decode the encrypted data so that it can be read again.
Advertisement
The novel attack exploits encryption technology originally designed to protect data, not kidnap it. To add insult to injury, it stores the kidnapped data in front of the victim’s eyes, on their own personal computer.
The virus was discovered last week by the web-filtering company Websense of San Diego, California, when one of its clients’ computers became infected. The malicious code is designed to take advantage of a vulnerability in the victim’s web browser to download itself onto their hard drive.
Despite having the filename Pgpcoder, the virus does not use the popular and highly secure encryption algorithm, Pretty Good Privacy (PGP). The name may have been designed to hide the true nature of the file or perhaps to besmirch PGP’s good name with the digerati.
Once Pgpcoder has infected a computer, it searches the victim’s hard drive for 15 common file types to encode, including Word, Excel and html files. A message then appears demanding money for the decoder.
“It’s just another version of extortion,” says Dan Hubbard, director of security and defence at Websense. He would not reveal any details of the FBI investigation into what he calls “ransomware”, but did point out that a rather obvious weakness in the attack is that the ransom includes a contact email address and an electronic cash account number, both of which could be traced.
“This is the only case so far,” Hubbard says, and the encryption algorithm it used was not very sophisticated. By reverse engineering the algorithm, Joe Stewart, a computer security consultant with Chicago-based IT firm Lurhq, was able to write a decoder that allowed the encrypted data to be recovered.
The danger now is that the virus writers might turn to using strong military-grade encryption systems instead. “That would make it impossible to decrypt the files,” Stewart says, leaving people with little option but to pay up.
The best defence against such attacks is to buy antivirus software and keep it up to date, and ensure that the latest operating system and browser security patches are installed. And with webmail services like Gmail offering 2 gigabytes of free storage, it doesn’t hurt to back up precious documents elsewhere.
This is not the first time “malware” has been written to extort cash. Criminals have tried – and in some cases succeeded – in blackmailing internet betting firms by threatening to bring down their websites with a so-called distributed denial of service attack. The new virus differs in that it targets individual users.
Criminals are increasingly turning to malware to make money, Stewart says. One recent instance he quotes is a worm called Myfip, which targets a company’s product designs and emails them to product counterfeiters in China.
Look for the file with no name
If a strongly encrypting virus is ever developed, is the encrypted data really lost for good? Ollie Whitehouse of antivirus firm Symantec, which produces the Norton internet security software, says there could still be ways to recover the data. This is because data files tend not to be encrypted in situ on a hard drive. Instead, the algorithm makes a copy of the file, encrypts it, saves it and then deletes the original. When a file is deleted it is normally just stripped of its filename. So, depending upon how much time has passed since the original was deleted, the data could still be sitting on the hard drive, minus its filename, and could be retrieved with techniques usually used to recover forensic evidence. But such services do not come cheap, Whitehouse says.