Jul 25, 2006 (09:07 AM EDT)
Hackers Holding Data For Ransom On The Rise

Read the Original Article at InformationWeek

Attacks where criminals hold kidnapped data for ransom are becoming more sophisticated, a security company said Tuesday. It's only a matter of time before hackers have the upper hand.

Although "ransomware" remains relatively rare, Moscow-based Kaspersky Labs stressed in a recently-published report that the threat is quickly increasing.

"This is the highest point [in ransomware] we've ever seen," said Shane Coursen, senior technical analyst with Kaspersky. "In the number of new instances of ransomware, not in the volume of attacks, we're seeing more types of this than ever before.

"But it's not reached its highest limit."

The report by Alexander Gostev, a Kaspersky senior virus analyst, tracked the evolution of ransomware from 2004 until 2006, and noted that each attack has upped the ante on encryption. June 2006's "Gpcode.ag," for instance, was downloaded to thousands of Russian computers from an infected site, then locked up files using a 660-bit key.

"[This is] the longest key which has ever been broken," wrote Gostev. Although it would normally take a standard PC approximately 30 years of computing time to break a key that long, "luck was on our side. Our analysts were able to add decryption routines for files which had been encrypted using this key to antivirus databases within a single day."

In a typical ransomware attack, the criminal reaches into a compromised computer -- victimized earlier by a worm or Trojan -- and grabs a slew of files. He then encrypts those files, making them impossible for the owner to access them. Later, the attacker sends the victim an e-mail ransom demand for the encryption key that unlocks the frozen files.

"This is a serious threat," said Coursen. "This is a threat that if it affects your system, there's no way to recover your data."

And it's becoming more serious.

As the criminals turn to ever-more-elaborate encryption, they may be able to outpace and outwit anti-virus vendor researchers. The earliest ransomware simply stored the kidnapped files in compressed archives, then password-protected those archives. In 2006, though, attackers turned to asymmetric encryption, like RSA, to lock hijacked data.

"We'll get to the point where we're not able to reverse the encryption," said Coursen.

Gostev seconded the motion in his research. "In spite of the fact that we were able to decrypt 330- and 660-bit keys within a reasonably short space of time, keys of this length are already pushing the boundaries of modern cryptography," he wrote. "Anti-virus companies might find themselves powerless [in the future], even if maximum computing power were to be applied to decrypting the key."

Consumers are most at risk from ransomware, Coursen added, because while businesses regularly back up data and follow set security policies, at-home and small business users usually neglect both.

Other than the standard advice -- update the operating system, use a firewall, and deploy up-to-date anti-virus to keep the computer from being compromised in the first place -- Coursen recommended consumers start backing up.

"Backups are very important today, more important than ever," he said. "And it's so much easier to back up now."

The Kaspersky ransomware analysis can be downloaded from the company's Web site.