AllUnderstanding Ransomware and Strategies to Defeat it
Understanding Ransomware and Strategies to Defeat it
White Paper
Table of Contents
Author:
Robert Leong, Director
of Product Management,
McAfee Labs
Held Hostage in Hollywood. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Ransomware History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The World of Digital Currency Payments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Why Ransomware Has Such Strong Growth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Contributors:
Christiaan Beek
Cedric Cochin
Nicola Cowie
Craig Schmugar
Primer: How Ransomware Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
The Latest in Ransomware Tricks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Intel Security Malware Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Primer: Ransomware Remediation Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Understanding Ransomware and Strategies to Defeat It
3
White Paper
Ransomware History
It may surprise you to know that ransomware has been around for quite a long time. The first
asymmetric ransomware prototypes were developed in the mid-1990s. The idea of using public-key
cryptography for computer attacks was introduced in 1996 by Adam L. Young and Moti Yung in the
1996 Proceedings of the IEEE Symposium on Security and Privacy. In the abstract, Young and Yung
said their prototype was meant to show how cryptography could be “used to mount extortion-based
attacks that cause loss of access to information, loss of confidentiality, and information leakage,
tasks which cryptography typically prevents.” Young and Yung presented a proof-of-concept
cryptovirus for the Apple Macintosh SE/30 using RSA and TEA asymmetric block ciphers.
What does “asymmetric” mean and why does that matter? The defining characteristic of publickey cryptography is the use of an encryption key by one party to perform either encryption or
decryption and the use of another key in the counterpart operation. In symmetric-key algorithms,
there is a single key used and shared between receiver and sender, thus the key used by the receiver
and sender is “symmetric” because it is the same. The use of multiple keys in asymmetric publickey cryptography allows ransomware to encrypt items on a system with a public key while never
exposing the private key, thus keeping it secret. For ransomware, this is essential for “mangling” data
files without exposing anything that someone could use to figure out how to undo the encryption.
Timeline of Some Noteworthy Ransomware Familes
• First asymmetric
ransomware
prototypes
1996
• Bitcoin invented
2006
• GPCode
2009
• CryptoWall
• CTB-Locker
• Virlock
2013
• Reveton
• CryptoLocker
• CryptoDefense
2014
2015
• TorrentLocker
• CrytoWall
• Ransomwareas-a-Service
• TeslaCrypt
• AlphaCrypt
Figure 1. Ransomware proofs of concept are 20 years old, but the business really took off in the past three years.
Even though this first asymmetric ransomware prototype was well publicized, there was a
logistical problem. How could the ransom be paid without exposing the malware author to risk?
Send payments to a post office box? The “AIDS” Trojan ransomware author tried that and law
enforcement officials tracked the money and arrested him. Thus until a usable ransomware “food
chain” could be created, there wasn’t much point in trying to leverage the idea of malicious
encryption for making money.
As a result, things were pretty quiet until 2005, when GPCode, also called PGPCoder, was launched.
It was a relatively simple Trojan encrypting common user files that matched the extensions matching
those in its code. (These extensions included .doc, .html, .jpg, .xls, .zip, and .rar.) The Trojan would
drop a text file that demanded payment in each directory with affected files. Back then, the payment
was typically between $100–$200 in e-gold or a Liberty Reserve account. The security industry
was able to come up with a variety of solutions to this Trojan (such as virus detection and utilities
to combat GPCode). GPCode was considered modestly successful in that the malware author(s)
behind GPCode and its variants were able to collect some money, but many variants had flaws (using
symmetric encryption, deleting the unencrypted files in a way that allowed disk scanners to recover
the files, etc.) that permitted users to recover data without paying the ransom.
Understanding Ransomware and Strategies to Defeat It
4
Please complete the form to gain access to this content