Ransoming virus

Kapersky lab, the anti-virus editor, detected a variant of virus Gpcode. It encrypts some data files on the hard disk, renames them with extension ._CRYPT, and adds a file !_README_!.txt in the folder. Then, it displays a message announcing the encryption and giving a contact mail.

The virus claims to use RSA-1024. Thus, out of the possibility of brute force attack. Pirated person should contact the pirate, pay the ransom, and he will receive a decryption tool.

This type of attack is not new. Older virus used the same technique. More dangerously, attackers penetrated enterprise network and encrypted critical data. Later asking the ransom. This type of attack is not well advertised because enterprise look for discretion (bad reputation).

Should the victim of the virus pay?

  • First of all, normally if the data are carefully daily back-up, then this attack is just painful but not lethal. Would the attack notification appear several days or weeks after infection, it may be more problematic. There are many files that you do not access daily. Some people, or SOHO do their backup on rewritable storage overwriting previous backup.
  • What does guarantee that after payment, the pirate will provide the decryption tool? Would you trust your tormentor?

By teh way, does the virus really use RSA 1024? May be it just brags it and implements a lesser secure one. The advantage of using asymmetric crypto is that reverse engineering the virus will not leak the key (that may not be the case with symmetric crypto). It would be “funny” if the virus would just use a XOR with a long key, or even put random data (if the pirate does expect to extort money)

Leave a Reply

Your email address will not be published. Required fields are marked *