Ransomware: Difference between revisions
m Citations: [Pu186]Tweaked: doi. Unified citation types. You can use this bot yourself. Report bugs here. |
|||
Line 6: | Line 6: | ||
Ransomware typically propagates as a conventional [[computer worm]], entering a system through, for example, a vulnerability in a network service or an e-mail attachment. It may then: |
Ransomware typically propagates as a conventional [[computer worm]], entering a system through, for example, a vulnerability in a network service or an e-mail attachment. It may then: |
||
* Disable an essential system service or lock the display at system startup.<ref name="symantec">{{citation|title = SMS Ransomware Threat|url = https://forums2.symantec.com/t5/Malicious-Code/SMS-Ransomware-Threat/ba-p/393500;jsessionid=3A2BEC4A6A5BD748AD9B41DD81F93745#A264|publisher = [[Symantec]]|first = Andrea|last = Lelli|date = 2009-04-16|accessdate = 2009-04-18}}</ref><ref name="zdnet">{{citation|title = New ransomware locks PCs, demands premium SMS for removal|publisher = [[ZDNet]]|first = Dancho|last = Danchev|date = 2009-04-22|accessdate = 2009-05-02|url = http://blogs.zdnet.com/security/?p=3197}}</ref> |
* Disable '''do you can'''''''Italic text'''' an essential system service or lock the display at system startup.<ref name="symantec">{{citation|title = SMS Ransomware Threat|url = https://forums2.symantec.com/t5/Malicious-Code/SMS-Ransomware-Threat/ba-p/393500;jsessionid=3A2BEC4A6A5BD748AD9B41DD81F93745#A264|publisher = [[Symantec]]|first = Andrea|last = Lelli|date = 2009-04-16|accessdate = 2009-04-18}}</ref><ref name="zdnet">{{citation|title = New ransomware locks PCs, demands premium SMS for removal|publisher = [[ZDNet]]|first = Dancho|last = Danchev|date = 2009-04-22|accessdate = 2009-05-02|url = http://blogs.zdnet.com/security/?p=3197}}</ref> |
||
* Encrypt some of the user's personal files.<ref name="young">{{citation|doi = 10.1109/SECPRI.1996.502676|first1 = Adam|last1 = Young|first2 = Moti|last2 = Yung|url = http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=502676|title = Cryptovirology: Extortion-Based Security Threats and Countermeasures|journal = 1996 IEEE Symposium on Security and Privacy|pages = 129–141|year = 1996}}</ref> Encrypting ransomware were originally referred to as '''cryptoviruses''', '''cryptotrojans''' or '''cryptoworms'''.<ref name="young-2">{{citation|first = Adam|last = Young|title = Building a Cryptovirus Using Microsoft's Cryptographic API|journal = Information Security: 8th International Conference, ISC 2005|editor-first = Jianying|editor-last = Zhou|editor2-first = Javier|editor2-last = Lopez|pages = 389–401|year = 2005|publisher = [[Springer-Verlag]]}}</ref><ref name="young-3">{{citation|first = Adam|last = Young|title = Cryptoviral Extortion Using Microsoft's Crypto API: Can Crypto APIs Help the Enemy?|journal = International Journal of Information Security|volume = 5|issue = 2|pages = 67–76|publisher = [[Springer-Verlag]]|year = 2006}}</ref> |
* Encrypt some of the user's personal files.<ref name="young">{{citation|doi = 10.1109/SECPRI.1996.502676|first1 = Adam|last1 = Young|first2 = Moti|last2 = Yung|url = http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=502676|title = Cryptovirology: Extortion-Based Security Threats and Countermeasures|journal = 1996 IEEE Symposium on Security and Privacy|pages = 129–141|year = 1996}}</ref> Encrypting ransomware were originally referred to as '''cryptoviruses''', '''cryptotrojans''' or '''cryptoworms'''.<ref name="young-2">{{citation|first = Adam|last = Young|title = Building a Cryptovirus Using Microsoft's Cryptographic API|journal = Information Security: 8th International Conference, ISC 2005|editor-first = Jianying|editor-last = Zhou|editor2-first = Javier|editor2-last = Lopez|pages = 389–401|year = 2005|publisher = [[Springer-Verlag]]}}</ref><ref name="young-3">{{citation|first = Adam|last = Young|title = Cryptoviral Extortion Using Microsoft's Crypto API: Can Crypto APIs Help the Enemy?|journal = International Journal of Information Security|volume = 5|issue = 2|pages = 67–76|publisher = [[Springer-Verlag]]|year = 2006}}</ref> |
||
Revision as of 16:12, 6 October 2010
Ransomware is computer malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration.
Operation
Ransomware typically propagates as a conventional computer worm, entering a system through, for example, a vulnerability in a network service or an e-mail attachment. It may then:
- Disable do you can''Italic text'' an essential system service or lock the display at system startup.[1][2]
- Encrypt some of the user's personal files.[3] Encrypting ransomware were originally referred to as cryptoviruses, cryptotrojans or cryptoworms.[4][5]
In both cases, the malware may extort by:
- Prompting the user to enter a code obtainable only after wiring payment to the attacker or sending an SMS message and accruing a charge.[1][2]
- Urging the user to buy a decryption or removal tool.[6]
More sophisticated ransomware may hybrid-encrypt the victim's plaintext with a random symmetric key and a fixed public key. The malware author is the only party that knows the needed private decryption key. The author who carries out this cryptoviral extortion attack offers to recover the symmetric key for a fee.[7]
History
The first known ransomware was the 1989 PC Cyborg Trojan, which only encrypted filenames with a weak symmetric cipher. The notion of using public key cryptography for these attacks was introduced by Young and Yung in 1996 [3] who presented a proof-of-concept cryptovirus for the Macintosh SE/30 using RSA and TEA. Young and Yung referred to this attack as cryptoviral extortion, an overt attack that is part of a larger class of attacks in a field called cryptovirology. Cryptovirology encompasses both overt and covert attacks.
Examples of extortive ransomware reappeared in May 2005.[8] By mid-2006, worms such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes, with ever-increasing key-sizes.
Gpcode.AG, which was detected in June 2006, encrypted with a 660-bit RSA public key.[9] Gpcode.AK, detected in June 2008, uses a 1024-bit RSA key,[7][10][11] which is believed to be large enough to be computationally infeasible to break without a concerted distributed effort.[12]
References
- ^ a b Lelli, Andrea (2009-04-16), SMS Ransomware Threat, Symantec, retrieved 2009-04-18
- ^ a b Danchev, Dancho (2009-04-22), New ransomware locks PCs, demands premium SMS for removal, ZDNet, retrieved 2009-05-02
- ^ a b Young, Adam; Yung, Moti (1996), "Cryptovirology: Extortion-Based Security Threats and Countermeasures", 1996 IEEE Symposium on Security and Privacy: 129–141, doi:10.1109/SECPRI.1996.502676
- ^ Young, Adam (2005), Zhou, Jianying; Lopez, Javier (eds.), "Building a Cryptovirus Using Microsoft's Cryptographic API", Information Security: 8th International Conference, ISC 2005, Springer-Verlag: 389–401
- ^ Young, Adam (2006), "Cryptoviral Extortion Using Microsoft's Crypto API: Can Crypto APIs Help the Enemy?", International Journal of Information Security, 5 (2), Springer-Verlag: 67–76
- ^ Cheng, Jacqui (2007-07-18), New Trojans: give us $300, or the data gets it!, Ars Technica, retrieved 2009-04-16
- ^ a b Naraine, Ryan (2008-06-06). "Blackmail ransomware returns with 1024-bit encryption key". ZDnet. Retrieved 2009-05-03.
- ^ Schaibly, Susan (2005-09-26), Network World http://www.networkworld.com/buzz/2005/092605-ransom.html?page=3, retrieved 2009-04-17
{{citation}}
: Missing or empty|title=
(help) - ^ Leyden, John (2006-07-24), Ransomware getting harder to break, The Register, retrieved 2009-04-18
- ^ Krebs, Brian (2008-06-09), Ransomware Encrypts Victim Files With 1,024-Bit Key, Washington Post, retrieved 2009-04-16
- ^ Kaspersky Lab reports a new and dangerous blackmailing virus, Kaspersky Lab, 2008-06-05, retrieved 2008-06-11
- ^ Lemos, Robert (2008-06-13), Ransomware resisting crypto cracking efforts, SecurityFocus, retrieved 2009-04-18