Video Screencast Help
Security Response

Rampant Ransomware

Created: 13 Jan 2011 16:44:58 GMT • Updated: 23 Jan 2014 18:23:18 GMT • Translations available: 日本語
Gavin O Gorman's picture
+3 3 Votes
Login to vote

Contemporary viruses are written to make money. They achieve this through extortion, information theft, and fraud. Threats that use extortion can be some of the most aggressive and, in some cases, offensive viruses encountered. These viruses are generally referred to as ransomware. This blog discusses some of the nastiest variants that have been encountered so far.

In your face!
Whilst by its nature ransomware is not subtle, certain variants are very obvious in their approach. They use a combination of shock and embarrassment in order to extort money from people. The most recent example of this is Trojan.Ransomlock.F. The Trojan.Ransomlock family is a particular type of ransomware, which locks a user’s desktop. Once the desktop has been locked, it is then no longer possible to use the computer as normal. To restore access to the desktop, one typically has to send a text message to a premium rate number. A message containing the unlock code is then – hopefully – sent back to the user. (Trusting someone who has just compromised your computer and is holding you to ransom is generally not very reliable.)

In the case of the Trojan.Ransomlock.F variant, not only does it lock the desktop, but it also changes the desktop background to an explicit pornographic image as in Figure 1 (censored!). This additional trick has been included by the authors of the threat in order to play on the user’s insecurities. Having a graphic pornographic image emblazoned across a monitor is guaranteed to give anyone a red face. They are less likely to seek technical help from another person to solve the problem in an effort to avoid embarrassment.

Figure 1 Censored Trojan.Ransomlock.F image (see translation of the message in Figure 2)

WARNING!

You surfed gay porn videos for three hours.
The free viewing time has expired.

To pay for the service, you need to make an online payment through the Beeline system to XXXXXXX for the amount of $400 USD.

Upon receipt of the payment you will be given an activation code.
Enter it in the box below and press Enter.

Figure 2 Translated Trojan.Ransomlock.F

A similar tactic is used by Infostealer.Kenzero. This threat masquerades as an adult game. When the Trojan is first executed, the user is asked to enter some personal information. It then monitors any pornographic Internet pages visited by the user and uploads the list of pages to a certain website. The user is then threatened with exposure of this list, in association with their personal information, if a sum of money is not paid. Again, the threat plays on a person’s embarrassment in order to extort money.

Backup
Another approach that ransomware threats typically employ is holding a user to ransom for files on their computer. This is a relatively common tactic, but has evolved over the years, utilizing encryption in smarter ways. The general approach is to search for files on the compromised computer. When user-specific files such as .doc, .xls, .jpg, etc. are found, they are then encrypted by the threat. The encryption renders the files inaccessible. Only by obtaining the correct key can the files be decrypted and accessed. Of course, to get the key, the owner of the compromised computer has to pay out.

A classic implementation of this can be seen in Trojan.GPCoder.E. This Trojan generates an encryption key specific to the compromised computer. It then checks to see if the system date is after July 10th, 2007. If so, a comprehensive list of files is searched for and encrypted using the generated key. Furthermore, a message (Figure 3) is left in each folder where a file has been encrypted.

Hello,    your   files   are   encrypted   with   RSA-4096   algorithm  (http://en.wikipedia.org/wiki/RSA).
  You  will  need  at least few years to decrypt these files without our software.  
  All  your  private  information  for  last  3  months  were collected and sent to us.
  To decrypt your files you need to buy our software. The price is $300.
  To  buy  our software please contact us at: [MAIL_ADDRESS] and provide us your  personal code [PERSONAL_CODE].
  After successful purchase we will send your  decrypting  tool, and your private information
  will be deleted from our system.
  If  you  will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.
                Glamorous team

Figure 3 Ransom message

Luckily, this threat did not use RSA, as it claimed (or a grammar-checker for that matter), and stored the generated encryption key in the registry. Therefore, it was possible for the user to retrieve the key from the registry and the files could then be successfully decrypted.
Unfortunately, a more recent implementation has proven to be much smarter and uses a more advanced encryption technique. Trojan.GPCoder.G uses the public key algorithm, RSA. The local files are initially encrypted using a symmetric encryption algorithm with a random key. This random key is then in turn encrypted by the public key of an RSA key pair. Without the private key from this key pair, it is not possible to obtain the symmetric key in order to decrypt the files. The owner of the compromised computer must send the encrypted symmetric key, along with the ransom to the malware authors. They decrypt the symmetric key and return it. This process is illustrated in Figure 4. The user can then decrypt their files. There is no way to bypass this technique. Unfortunately, unless the ransom money is sent to the malware authors (which has no guarantee of success), the only way to retrieve the encrypted files is from backup. Always backup!

Figure 4 Trojan.GPCoder.G process

Boot blocking
The most basic computer resource that an attacker can attempt to obtain a ransom for is access to the operating system itself. No operating system means no antivirus and no assistance from the Internet. Trojan.Bootlock achieves this by overwriting the master boot record (MBR) with custom code. The MBR is responsible for starting a computer’s operating system. By overwriting it with custom code, the malware authors deny a user access to the operating system. Instead the user is greeted with the message in Figure 5.


 
Figure 5 Trojan.Bootlock

The web page that is referenced in the message demands payment of $100 to obtain the password. Contrary to what the attackers claim, however, the hard drive is not encrypted and can still be accessed offline. The MBR can be repaired and the threat removed using the Norton Bootable Recovery Tool.

As always, the best way to defend against such threats is up-to-date antivirus and a regular backup routine. Thanks to the various engineers whose analysis made up this article, including Paul Mangan, Yousef Hazimee, Karthik Selvaraj, Fergal Ladley, and Elia Florio.