Slashdot Mirror

← Back to Stories (view on slashdot.org)

Extortion Virus Code Cracked

Posted by ryuzaki0 on from the unlock-your-stuff dept.

Billosaur writes "BBC News is reporting that the password to the dreaded Archiveus virus has been discovered and is now available to anyone who needs it. Archiveus is a 'ransomware' virus, which combines files from the My Documents folder on Windows machines and exchanges them for a single, password-protected file, which it will not unlock unless a password is given. The user would normally be required to pay the extortionist money in order to receive the password, but apparently the virus writer made one small, critical error in coding: placing the password in the code. BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."

3 of 371 comments (clear)

  1. News That's Old, Stuff that's Stale by lbmouse · · Score: 5, Informative

    Hasn't this been around for a while? According to this page, the password has been know for at least a month.

  2. Wrong by Anonymous Coward · · Score: 5, Informative

    You're wrong. You can cypher it with the public key and it can't be recovered without the private key, which is safe at his computer.

  3. Re:Just wait... by swillden · · Score: 5, Informative

    Public key cryptography does not work against a man in the middle attack.

    True, in general, though precautions can be taken. I fail to see how a MITM attack is even relevant here, though.

    When the files are being encrypted by software running on your computer, such a virus is inevitably vulnerable.

    Why? Virus contains public key, generates random session key (ideally in memory-locked pages that cannot be swapped out), encrypts all your data with session key, encrypts session key with public key, writes encrypted session key to a file, wipes session key from memory, then shuts down.

    Assuming you don't notice the virus before all of this happens, you're toast unless you can get a copy of the private key.

    To overcome this flaw, the virus writer would have to send the files to a pre-known IP address for off-site encryption (which among other problems would probably be a pretty noticeable activity). Doing so would presumably also expose the author to risk that the computer in question (and presumably he himself) could be siezed.

    Did you mean decryption? If so, yes, the writer would have to have you ship your session key file to him so he could decrypt it and give you your unique decryption key. I don't think that activity is nearly as risky to the writer as trying to figure out how to collect the money, though. Following money trails is something the world's law enforcement agencies are very good at.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.