Using Distributed Computing To Thwart Ransomware

I Don't Believe in Imaginary Property writes "The folks at Kaspersky labs are turning to distributed computing to factor the RSA key used by the GPcode virus to encrypt people's files and hold them for ransom. There are two 1024-bit RSA keys to break, which should require a network of about 15 million modern computers to spend a year per key factoring them. Unfortunately, there appear to be no vulnerabilities in the virus' use of RSA, unlike some previous cases. Perhaps more interestingly, there's some debate over whether people should bother cracking it. After all, what if they were trying to trick us into factoring the key for a root signing authority? Besides, there's a more direct method of breaking the encryption: track down the people who wrote the virus and force them to talk."

Seems rather futile..

[FluffyWithTeeth]

Surely all the have to do is start using a new key every so often, and the task becomes pointless?

Re:Seems rather futile..

[SQLGuru]

Surely all you have to do is make frequent back-ups of your critical data and the virus becomes pointless.

Hacker - You must pay me $100 or your files will be forever encrypted by my nigh-unbreakable RSA code.
User - Meh, I just wiped my system of your virus and restored my important files from back-up. Piss off.

Layne

Re:Seems rather futile..

[Silver+Sloth]

Good, sometimes there's only one way to learn about why we have backups. After all, they're just as much at risk from hard disk crashes.

Re:Seems rather futile..

[pla]

As has been pointed out in the past - the people who are most likely to become infected with a ransomware virus are exactly the same people who are least likely to have backups available.

Back in my youth, I never made regular backups.
Then I got a virus.
Since then, I make regular backups.


As annoying as it seems, sometimes people need to understand first-hand the need for regular, offline backups. Until they have the experience of data-loss, they just won't appreciate what could happen.

Re:Seems rather futile..

[pegr]

I'll assume someone paid the ransom at least once. So what key did they use to decrypt? Do us a favor and post it.

As for it being a trick to crack a root signing key, would they not have to have the private key to encrypt with to start?

Re:Seems rather futile..

[bigstrat2003]

I use Windows because I'm not brain-dead and can keep my machine secure. For those of us who know what we're doing, it doesn't matter what OS we use. For those of us who don't know what we're doing, similarly, it doesn't matter what OS we use: you're only kidding yourself if you think that widespread Linux adoption would result in there not being many/any pwned machines. The user is, and always will be the biggest computer vulnerability.

Re:Seems rather futile..

[AmiMoJo]

While I too get frustrated by incompetent users, I think that attitude is a bit harsh. Computers are supposed to have reached the point of being easy to use by laymen, and automatic backup should be part of that.

Time Machine on MacOS seems to be just about there, all they need to do is bundle an external HDD or offer a free online component for personal docs.

Re:Seems rather futile..

[ArsonSmith]

so how does the ram or cpu get grounded. Just because I am now currently at the same static charge as the grounded unit, the ram or cpu may still be at a different charge.

I've got a better idea

[elrous0]

Encourage people to make backups of their data on disc, tape, or portable harddrives. I know that's a radical idea, but it just might be crazy enough to work.

Re:I've got a better idea

[cowscows]

So what you're saying is that anyone who lives in any fashion beyond subsistence farming is stupid?

Banking, religion, and politics all have their problems, no doubt. But they're all important and persistent factors in the progress that humanity has made. They've all been involved in bad things, but they've all be involved in lots of good things as well.

A human being is, on their own, capable of many things, both good and bad. Structures, systems, corporations, religions, corporations...they've all allowed us as a civilization to accomplish tasks that no one man could accomplish on his own. Some good and some bad, but all it does is amplify our abilities.

Re:I've got a better idea

[Z34107]

I recall a similar study where they asked students across the 50 states to rate their "self-esteem" in regards to mathematics - how confident they were in handling numbers, and how good they thought they were.

Students' self-esteem correlates negatively with test scores. I guess humility is learned through... learning.

Re:I've got a better idea

[DaedalusHKX]

You've proven my point far beyond my wildest dreams (actually my wildest dreams don't really have much to do with this particular point :)

Joking aside, however, just because progress has benefitted certain people, does not make their willing and unwilling pawns any more intelligent, or wise, or smart, or anything but what they are. Just because progress can be achieved with 99% enslaved labor, does not mean it cannot be done equally as well (if not better) by those who participate by mutual agreement.

To put it in a more easily understood concept... even if orgasm (progress) can be achieved through RAPE, or consensual sex, or masturbation, that does not make RAPE a necessary thing to achieve orgasm, nor does it say that the guy who masturbates isn't achieving orgasms. Does that make any one of those three conditions the only right way to reach orgasm? Same thing with your vaunted progress.

There is more than one way to get to a desired goal, and just because a vast mass of the populace is incapable of seeing the forest for the trees, and just because a few profit from the stupidity of the many does NOT in any way make the few evil, or the many any less stupid.

I was stating an observation, not saying that the masses should awaken. Personally I am not wanting to save anyone. Those who will save themselves will do it without my help. The masses, in fact, deserve EXACTLY the kind of progress they are in the process of "receiving". I'm just enjoying the show. Don't mistake me for someone who still cares.

15 million modern computers??

[iamacat]

They are best off using a large botnet then. Perhaps modify the extortion virus itself so that it's part of solution rather than part of the problem.

1024 bits is big

[steveb3210]

The size of the keyspace doubles per bit, 2^1024 is the size of keyspace.. Brute factoring the key is not happening..

It is a good devlopment, Don't help them

[140Mandak262Jamuna]

We should not help people whose data is held at ransom. Finally they will see the folly in using cheapest software, in the cheapest platform with no regard for security. Companies will start taking insurance against data loss. And the insurance premium will be more for insecure closed proprietary crapware like Windows.

As long as security is valued at zero dollars when the IT bean counters are evaluating platforms and vendors crapware will proliferate.

Re:It is a good devlopment, Don't help them

[Beryllium+Sphere(tm)]

This one's a Trojan, though, not an exploit. If your platform allows installing general-purpose software then the possible countermeasures (warnings, administrator password prompts, requiring chmod +x, sandboxing) are all kind of flimsy. Sandboxing is at odds with the "general purpose software" part -- imagine that this had been masquerading as a privacy tool that protected your files by encrypting them. Either you have a sandbox the user can't override that blocks legitimate encryption software, or you have one the user can override that the user then will override.

Signed packages in well-maintained repositories are a good countermeasure, but closed source vendors could do that too.

Don't forget the corollary.

[khasim]

Don't forget the corollary.

Encourage the application writers to make their applications EASY TO BACKUP.

The problem I keep seeing is that TELLING someone to back up their data is easy to do. FINDING ALL of the data is just about impossible.

You'll never know if you got it all until AFTER a problem.

Or even ... how about just including a simple script that will look at how it's installed TODAY and back it up to a location chosen by the user? And then that script will generate a script to install that backup should you need it to. Along with license keys and decoding keys and unlocking keys, etc.

Re:Don't forget the corollary.

[pla]

Do I just not know some Windows Admin secret magic, or is it true that I really can't back up my applications. I'd like to be able to reinstall Windows and then restore all of my applications.

Not quite a direct answer, but you might want to consider using mostly "Portable" apps (that site has tons of them, but by no means counts as the only source... And of course, better-designed programs work portably without needing a wrapper).

They have nothing to do with Linux or FOSS (though they do tend to exist as FOSS and have Linux versions available). You copy the program's directory (and, if you changed it, your data directory) to a new machine, and bam, it just works. No installation, no annoying migration tools that fail half the time, no custom compression schemes that only worked back on version 4.8 but they stopped supporting in 5.0 and no longer sell version 4.8, etc.

With most of them, you can run them from USB thumb-drives (the original meaning in this context of "portable" - Literally, you can take them with you); With many, you can even run them from read-only media such as a CD (though obviously you can't save your data in the same place when doing so).

Re:Don't forget the corollary.

[drinkypoo]

The problem I keep seeing is that TELLING someone to back up their data is easy to do. FINDING ALL of the data is just about impossible.

That's funny, all of my user data seems to be in $HOME. Perhaps there's a problem with your operating system?

In fact, I was just commenting on the ease of transferring my data to my girlfriend, who did not care. (She made the mistake of bringing up something computer-related.) Because I run my Win32 apps on Wine, all I had to do was copy the .wine directory and that copied my registry, too. So all I do is copy my home directory, and EVERYTHING (and I mean EVERYTHING) is copied.

Here's $0.00. Get a real OS, kid.

Leave it be.

[Just+Some+Guy]

So, there are two possibilities here:

1. People are running crappy software that got hacked, or
2. People did something dumb like running an .exe that someone mailed them.

Either way, this seems like a pretty strong (if harsh) lesson for end users. If #1, use better software, like your geek friends have been telling you this for years. That doesn't have to mean installing Ubuntu; it could just mean upgrading from IE6 to Firefox (or IE7), or from Outlook Express to Thunderbird (or Gmail). If #2, then haven't you been told about 1,000 times not to do that? Now do you see why?

I truly feel bad for people who get nailed for this, in almost exactly the same way I feel bad for my kids when they touch the stove after I've told them it was hot.

Data recovery

[KevMar]

So the encryption is sound, but did he just delete the old files after encrypting them or did he scrub the drive too.

Someone try to undelete the files with a disk recovery tool and see what you get. Just because the file is encrypted does not mean that the original was correctly destroyed.

No trust, ergo, no reason to decrypt

[mkcmkc]

What seems to be missing here, is the realization that if someone has encrypted your files without your permission (supposedly for ransom), there is no reason to trust them to restore the files correctly, and very good reasons not to trust them.

I suppose if the file in question was something like a manuscript for a novel, where the owner can more or less verify it by eye, and (importantly) there isn't that much downside if our opponent sneaks some changes in, that might be worthwhile. But in general...

Re:Got to be a link to the extortionist

[Kjella]

Quite simple and very effective and can be done using standard tools:

1. Encrypt victim's data with random AES key
2. Store key in body of a PGP message for yourself
3. Get victim to send you the PGP message
3. Decrypt PGP message using private PGP key, find AES key
4. Send AES key to victim - for a price...

Seriously, this could probably be hacked together in the matter of a few hours if explained to someone knowledgable. The private key never leaves the bad guys. And if they decide the heat is on and torch the operation and set it up elsewhere you're 100% screwed. Trying to crack this must be the most useless operation ever, they could easily make the keys stronger and thousands of years would pass to crack it. In one word: Nasty.

Most have a GPL equivalent. Most.

[tepples]

but most of them have a GPL equivalent in GNU/Linux "Most" is the key word. There are a lot of users who have fewer than a half-dozen applications and games that keep them on Windows. For some people, it's recent Photoshop or Flash. For others, it's some Direct3D game that doesn't work in Wine. For others, it's the driver for a flatbed scanner.

I'm all for forcing them to talk

[Minwee]

Given the choice between fifteen million CPU years spent breaking keys and about ten minutes of breaking fingers, it seems pretty clear which one is more efficient.

Re:That all depends ...

That's if you let law enforcement track him down. If *I* track him down, I'll do whatever I please to him. I have a concealed carry permit that is recognized and honored in most of the US. Threaten to shoot off something they would miss very much and I'm sure they would happily give you whatever you wanted. Besides, what are they going to do, call the cops?