When is RSA Ransomware not RSA Ransomware? (When it is RC4)
Last weekend saw the first series of detections of a new version of an odd piece of malware (Gpcode) that encrypts user data before demanding a ransom for the keys needed to recover the original data. S?nnet Beskerming have previously covered this class of malware, known as Ransomware - Advisory #138 (News subsection 2.4), but this new sample is interesting in terms of the encryption techniques that it claims to apply to the data being hidden from the victim.
As reported in the writeup at the CISRT, the malware claims to be using an RSA-4096 algorithm to protect file data. Any hope of recovering data from a properly implemented RSA-4096 algorithm is essentially lost - it is not currently feasible to recover data encrypted with this method without having the original keys.
Even though it has spread to a very small number of systems, a number of antivirus / antimalware companies are already moving to address the threat that Gpcode poses, including Trend Micro, Panda Labs, and Kaspersky.
Kaspersky provide the most valuable information about what is actually happening with the encryption of user data - it is not an RSA-4096 algorithm, but rather a modified RC4 algorithm implementation - a much simpler proposition to break than RSA-4096. Armed with this knowledge, Kaspersky have moved to recover the encryption keys from the malware and are integrating support for recovering encrypted files in their antimalware solutions. Support for recovering data from previous versions of Gpcode already exists, with support for the recently discovered version to be added to antimalware solutions in the near future.
19 July 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.