Beware of data kidnappers

Computer users who fail to back up their data are being held to ransom by hackers who hold their information prisoner, according to one information security firm.

Though so-called ransomeware has been around since 2004, this year has seen the first instances which used sophisticated encryption technology to hold data prisoner, according to anti-virus firm Kaspersky.

"January 2006 was the first time that a blackmail virus, Gpcode.ac, used a sophisticated encryption algorithm," said Alexander Gostev, senior virus analyst at Kaspersky in that company's latest quarterly report.

Ransomeware attacks take control of a company's data and encrypt it. The password to the encryption is only released if money is paid to the hackers carrying out the attack. Companies which back up their data regularly cannot be held to ransom since they have independent access to their data.

Previous attempts to hold companies to ransom used some fairly basic encryption, quickly resulting in an encryption war between the perpetrators and the security firms.

"The author used the RSA algorithm to create a 56-bit key, and cracking it didn't pose any problems for antivirus companies," said Gostev. "It seems that the speed at which the problem was solved caused the virus writer to rethink his/her approach. In June, the Russian segment of the internet was attacked by a new version of Gpcode, but this time a 260-bit key was used. However, this longer key didn't cause problems for our analysts, who were able to crack it in less than 5 minutes. This was the start of a face-off between the two sides – who would be more persistent, who would have better knowledge of cryptography, and who would have access to the most computing power?"

Gostev said in his report that the company was eventually able to break a 330-bit key, and then a 660-bit key, though he will not say how. "On 7th June 2006, Gpcode.ag was downloaded to thousands of Russian computers from an infected site. This latest variant used a 660-bit key, the longest key which has ever been broken. According to estimates, it would take at least 30 years using a 2.2 GHz computer to break such a key. But luck was on our side – our analysts were able to add decryption routines for files which had been encrypted using this key to antivirus databases within a single day."

The viruses behind the ransoms were spread via a Russian recruitment site, so some social engineering was involved in its spreading. Gostev said that the problem, though solved in the short term, is likely to grow in seriousness, even if the writers of the current viruses are found.

"RansomWare will undoubtedly remain a major headache for the antivirus industry, at least in the near future," he said in his report.