Ransomware is a type of malware that limits access to a computer system that it affects. Just as its name goes, it then asks for ransom payment to pay to its creator in order for the limitation to taken away. Some of these malwares encrypt files on the hard drive while others just lock up the system and display messages persuading the use to pay the ransom (Michael). There are two types of ransomwares one that locks the screen and displays a message that prevents you from accessing the computer, and the other one that encrypts files on a systems hard drive and prevents one from opening them (Blue).

The ransomware that was first known was written by Joseph Popp in 1989 and was known as PC Cyborg or “AIDS.”  This malicious software was seen by the user as an expired software license and told users to send money. This malware would demand US$189 for it to unlock the system (Michael). There was another ransomware known as Krotten that appeared in 2006 which disabled all files and displayed the text in German.

Winlock originated in Russia in 2010 and did not use encryption. This one would limit access to the computer and display pornographic materials. This one specifically attacked Russia in a very big way. The users of the computers would need to buy some unlocking codes in order to gain access to their computer. Ten individuals were however arrested in 2010 concerning their involvement in this ransomware (McMillan). It earned the operators of Winlock US$16 million.

A worm that worked like a Windows Production Activation appeared in 2011 and told users of the windows that the windows installation had to be re-activated because the user had been a victim of fraud. It gave a user an option of online installation but the user could not access it and so they would be required to call some international number and input a 6-digit code. They said these calls would be free but the victim would incur a lot of expenses while on the call. With time a lot more malwares were developed as others continued to be isolated (Michael).

In 2012, another ransomware by the Reveton emerged. It is also known as ‘Police Trojan’ and it locks up the system and displays a message accusing the user of committing an illegal activity and continue to further say that a law enforcement agency was keeping an eye on them. To avoid all this, they needed to send some money so that they could gain access to their computers again (Mark). Ransomware returned to fame again in late 2013 when CryptoLocker was introduced.

This paper will focus the CryptoLocker malware and its history. This is an encrypting software which is generated by a 2048-bit RSA key pair. It targeted computers that were using Microsoft Windows. It was first noticed by Dell Secure Works in September 2013 (Blue). This malware threatens to delete the secret key if the cash is not send in three days of infection. It is considered to be extremely hard to repair due to its big key size it employs. However, even after the expiry of three days the private key would still be obtained online (McMillan).

It is uploaded consecutively to a server and it encrypts files with specific file extensions. It is spread using email attachments which are infected and that would appear to be from a valid company (Blue). The email would have a ZIP file which contains an executable file and has a logo displayed as a PDF file. It then encrypts certain files that are stored in network drives using RSA key cryptography. Its private key is stored on the malwares control server only. CryptoLocker was also spread using a Trojan known as Gameover ZueS and botnet.

When it is run, it establishes itself in the user profile and then adds a key to registry that makes it run when the computer starts. It then contacts some control servers the server creates a 2048-bit key and then sends a public key to the victim’s computer.  Tracing of the servers is made difficult because they use a local proxy which goes through others too. After this, files are encrypted across the systems hard drive using the public key (Mark). This file encryption only works with certain documents that have particular extensions including Microsoft office and open documents.

The computer then displays a message that the files have been encrypted and the user needs to pay a certain amount of money for the files to be decrypted.  The operators of CryptoLocker started an online service in November 2013 allowing victims to get buy the key online after the expiry of the deadline (Mark). The victims were required to upload a sample of the infected file and wait for the key to be generated after they paid the ransom. If the deadline had elapsed, then the victim would have to pay more money (Blue).

Files that have been encrypted by CryptoLocker are very hard to break. Experts advised the victims not to pay any money even if they did not come up with any solution for them to recover their files. It was however unfortunate that paying the ransom did not always guarantee that the files were decrypted. The people who were responsible for this malware did not always assure the victims that they were going to decrypt the files (McMillan). 

CryptoLocker was isolated in June 2014 through an operation known as Operation Tovar. This operation enabled the security firm to obtain the database of private keys that were used by the CryptoLocker and used an online platform for victims that were affected to obtain the private keys. In August 2014, this is when the online platform was made available for any of the victims to use without making any ransom (McMillan).

CryptoLocker is not detectable unless it has already encrypted or it is halfway. If the infection is detected early, it prevents much damage to the files if the malware is quickly removed. People are advised to use security policies in order to block the CryptoLocker from being uploaded into their computers (Mark).

ZDNet traced four Bitcoin addresses of victims who had been affected by the malware. This addresses showed that US$27 million had been wired between the dates from October and December 2013. Before its shutdown, it was estimated that its users had extorted around US$3 million from their victims. (Mark Ward, 2014). CryptoLocker has encouraged the making of other worms going by the same name as much as they are not the same.

This malware was deemed to be so successful that other worms started emerging that works in the same way as this particular malware. They go by the same name, but experts say that they are unrelated to the original version of the CryptoLocker. In September 2014, these worms started spread with a special target of the Australia market. This one could indicate a case of failed mail delivery (McMillan). This type of mail does not have any relationship with the original. A Russian hacker known as Evgeniy Bogachev was prosecuted for him having allegedly being involved in the scam. It is not clear how many victims were affected by this ransomware.



Works Cited

Blue, Violet. Cryptolocker’s Crimewave: A Trail Of Millions In Laundered Bitcoin, 2013. Web. Retrieved from www.zdnet.com/cryptolockers-crimewave-a-trail-of-millions-in-laundered-bitcoin-7000024579

Mark, Ward. Cryptolocker victims to get files back, 2014. Web. Retrieved from www.bbc.co.uk/news/technology-28661463

McMillan, Robert. Alleged Ransomware Gang Investigated By Police, 2013. Web. Retrieved from www.pcworld.com/businesscenter/article/204577/alleged_ransomware_gang_investigated_by_moscow_police.html

Michael, Kassner. Ransomware: Extortion via the Internet,  2010. Web.  Retrieved from www.techrepublic.com/blog/security/ransomware-extortion-via-the-internet/2979

0 thoughts on “Ransomware

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>