Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Cryptolocker: The evolution of extortion

Gregg Keizer | Nov. 20, 2013
Cryptolocker, the latest ransomware, may be newsworthy, but it's been hyped, too, says expert

The Cryptolocker Trojan is an evolution of "ransomware," not a revolutionary change from past criminal attempts to extort money from PC owners, a security expert said today.

And the recent media blitz about the ransomware has elements of exaggeration about it.

"There is a bit of hype," said John Shier, a senior security advisor for U.K.-based Sophos, in an interview today. "Actually, it's only the latest incarnation of ransomware."

Ransomware is a category of malware that, once on a system, encrypts files and then tries to convince users to pay to decrypt them so they can again be opened. The crimeware has been in active circulation since at least 2005, with traces harking back as far as 1989.

But reports of Cryptolocker, which first appeared earlier this year, have been more prominent and persistent than any of its predecessors.

Why is that?
"It's taken lessons [from those ancestors] of how to do things better," said Shier, who repeatedly argued that Cryptolocker was not revolutionary, but evolutionary in its tactics and techniques. "It's not the first to use a public key," Shier cited as an example. Public-key cryptography relies on a pair of digital keys, one public, which is stored on the victimized PC, the other private, which is not. Instead, Cryptolocker ships that private key to the cyber-criminals, who hold it until payment is received.

Cryptolocker is newsworthy for several reasons, said Shier, who ticked off the near-impossibility of cracking the encryption; the fact that each compromised PC generates its own public-key pair, so acquiring one private key doesn't help others whose machines have been infected; the encryption of not only local files, but also those on accessible networks; targeting valuable user-made content, not the operating system; and its high ransom price, which can reach into four figures.

The Swansea, Mass. Police Department, for instance, paid $650 for a pair of Bitcoins to get its files back after a PC was infected with Cryptolocker, according to a report by the Herald News of Fall River, Mass. Both Swansea and Fall River are in southeast Massachusetts.

At Tuesday's exchange rate, the Swansea Police Departments two Bitcoins would cost more than $1,300.

Sophos, however, has seen very few Cryptolocker-infected PCs among those it protects. According to Shier, of the 16 million covered by Sophos' security software, it's counted fewer than 300 infections.

Shier offered a caveat, however. "It's not that big of a deal in businesses [which is Sophos' forte] because they have other defenses in place," he said, including robust spam filters, attachment blocking and multiple layers of security. "For consumers, it would be a little worse, I think, since many don't have those kinds of tools."

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.