Malware Kidnapping Data
By Michael Ross
This article was published by ComputorEdge, issue #2630, 2008-07-25, as a feature article, in both their PDF edition (on pages 11-12) and their website.
Malicious software — commonly referred to as "malware" — comes in several different forms, including viruses and Trojan horses. These programs deliver a variety of "payloads", which comprise whatever malicious activity the programs are designed to perpetrate against their victims' hardware, software, or data.
Not long ago, a new category of malware emerged that has been described as "ransomware", because its payload takes the form of encrypting the victim's data, and demanding payment in exchange for the encryption key that the victim would presumably be able to use for decrypting and thus retrieving their precious data.
According to the ransomware Wikipedia article, "cryptovirology" is an even earlier term for this new type of online nastiness, and its manifestations have names corresponding to how the particular attacker's program is disguised: cryptovirus, cryptotrojan, or cryptoworm.
Anatomy of an Attack
Regardless of what type of program conceals the attacker's code, if the attack itself is successful, and the malicious code makes it past whatever security measures the victim has in place, then the victim will probably first learn of his fate when he tries to access a previously read file, which is now rendered inaccessible, because the ransomware has encrypted it.
In one scenario, the ransomware will have deleted the original file, and — the victim can only hope! — "safely" stored a copy of it in encrypted form. Alternatively, the original file will have been encrypted in place, and thus will exist — with its old name, in its old folder. In this second scenario, the file name will still appear within Windows Explorer, but it will be unreadable by whatever application is associated with that file type. Trying to open it by double-clicking the file's icon, or by choosing it from a "most recently used" list of files, will result in the application complaining that it cannot read the file.
Strangely enough, that first scenario may end up causing even less confusion than the second, because if multiple files and even directories have been deleted, then it should become clear to the victim rather quickly that this is not just a case of a single file somehow becoming corrupted. In addition, if all the files in the original folder have been deleted, and all that remains is a virtual ransom note, then it will be spotted that much sooner.
Data kidnappers, like their (in)human counterparts, will typically communicate with the victim by leaving some sort of ransom note, detailing their monetary demands, as well as their threats against the victim should those demands go unmet within a prescribed time frame, or if the victim seeks help from law enforcement. Computer users targeted by data kidnappers, usually find some sort of text file describing their demands and threats. The file may be named "README.TXT" or something similar. The attackers will typically make the file easy to spot, because if the victim never sees the message and simply assumes that his files have somehow been wiped out, with no hope of retrieval, then the attackers would never be able to receive their intended payment.
Example of an Attack
The first time that most tech-savvy computer users learned of ransomware, was during the summer of 2006, when a Trojan horse known as "Archiveus" began victimizing Windows users. Archiveus would target all of the files in the person's "My Documents" folder, combine them into encrypted files, delete the original files, and leave behind only three files: Demo.als, EncryptedFiles.als, and "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt".
The second file, as suggested by its name, contains all of the ransomed data, while the third file is essentially a ransom note. Unlike other forms of ransomware that demand direct payment of money, Archiveus demanded that the victim purchase goods from a number of websites, in order to be given the passwords to unlock the other two files.
Fortunately for people victimized by Archiveus, the program contained a serious flaw, namely, the needed password was hidden in the code itself, but was still found by security experts. The victims certainly got lucky that time, and one can only hope that they learned a valuable lesson from the experience.
Foiling the Kidnappers
If you wish to avoid becoming a victim of ransomware yourself, then there are a number of measures you should take as soon as possible, if you have not already implemented them.
First and foremost, you should be performing regular backups of your data. There are a wide range of backup solutions from which you can choose — including Web-based file archival services, CD-RWs, archive tapes, USB thumb drives, and external hard drives. My personal favorite is the use of a second internal hard drive, and running full backups to it every day.
Yet simply running the backup process periodically is not sufficient. You should also check the contents of your important files to make sure that your data is still readable. Do not assume that reasonable file sizes indicate data integrity, because it is possible that ransomware has encrypted your files in place — in which case the file sizes will be little changed from the originals, if at all (depending upon the encryption method chosen by the attackers).
Other recommended security measures include regular use of up-to-date antivirus and anti-spyware applications. Make use of hardware and/or software firewalls. Avoid visiting websites of a questionable nature, and definitely do not download programs from such sites. Use generally more secure browsers, such as Firefox, Opera, or Safari.
Lastly, if Windows is your operating system, do not store your personal files in the "My Documents" folder, because it is such an easy target for attackers. It is much safer to store your important files in folders that you have created yourself, nowhere within the "My Documents" folder.
If you follow these security suggestions, it is highly unlikely that your critical data will ever be held hostage.
Copyright © 2008 Michael J. Ross. All rights reserved.