Ransomware Making a Comeback

← Back to Stories (view on slashdot.org)

Posted by timothy on Thursday December 2, 2010 @07:05PM from the please-send-money dept.

snydeq writes "Ransomware is back. After a hiatus of more than two years, a variant of the GpCode program has again been released, kidnapping victims' data and demanding $120 for its return, InfoWorld reports. 'Like the ransomware programs before it, GpCode encrypts a victim's files and then demands payment for the decryption key. The new version of GpCode — labeled GpCode.AX by security firm Kaspersky — comes with a bit more nastiness than previous attempts. The program overwrites files with the encrypted data, causing total loss of the original data, and uses stronger crypto algorithms — RSA-1024 and AES-256 — to scramble the information.'"

17 of 202 comments (clear)

Min score:

Reason:

Sort:

Backups by coerciblegerm · 2010-12-02 19:11 · Score: 5, Insightful

Simple solution: Back up your data. In other news, make sure you patch software and operating system vulnerabilities and don't run executables from unknown sources.
1. Re:Backups by txoof · 2010-12-02 20:11 · Score: 4, Interesting
  
  Whenever I see family/friends/co-workers using external drives for "backup" I have to repress the urge to launch into a lecture on the absurdity of relying on a local, always mounted backup.
  WesternDigital and all the other purveyors of external hard disks should be ashamed of themselves for promoting their products as a reasonable backup solution. The ONLY kind of calamity that such devices protect you from is accidental deletion or hardware failure. An external drive provides absolutely no protection from any kind of malicious attack or catastrophic disaster (flood, fire, theft). The only real backup solution is an off-site backup. Considering how cheap Amazon S3 is, off-site backups are finally a real solution for the average person.
  Apple's Time Machine and Fly Back is a step in the right direction, but without a real off-site backup solution kiss your data goodbye, because when it falls into a river of molten rock, man, it's gone.
  
  --
  This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
2. Re:Backups by black_lbi · 2010-12-02 20:20 · Score: 5, Funny
  
  because when it falls into a river of molten rock, man, it's gone.
  
  Sounds like you learned that from experience. One of the cons of maintaining the data center for Sauron, huh? Hope the pay is good, at least.
3. Re:Backups by Anonymous Coward · 2010-12-02 20:27 · Score: 5, Insightful
  
  I hate to break it to ya buddy, but accidental deletion and hardware failure make up 100% of my data loss causes. Shocking, I know. You see, some people actually do patch their software and ensure their OS is up to date, and some people don't run executables from strange places.
  Mounted, active storage is perfectly acceptable for backing up all but the absolute most critical of data.
4. Re:Backups by wvmarle · 2010-12-02 20:47 · Score: 4, Insightful
  
  My data set is about 40 GB (gzipped).
  Amazon et. al. while cheap and off-site and probably pretty secure would require encryption at least. I don't want unencrypted data there. Makes it a bit more cumbersome.
  The killer is going to be the upload. I've 2 Mbit up, uploading my data set to Amazon would saturate my pipe for about 55 hours straight. And that's a show stopper.
  I'm slowly looking for 64GB USB drives. They exist but the local shop has only 32 GB, so have to look further. That's a much easier solution than Amazon.
5. Re:Backups by ArsenneLupin · 2010-12-02 20:59 · Score: 4, Insightful
  
  Whenever I see family/friends/co-workers using external drives for "backup" I have to repress the urge to launch into a lecture on the absurdity of relying on a local, always mounted backup.
  You know, malware is not the only threat to data. There's also hard disk failures, and human error. "Always-mounted" external disks protect against both.
  
  WesternDigital and all the other purveyors of external hard disks should be ashamed of themselves for promoting their products as a reasonable backup solution.
  ... and even if you are concerned about "always mounted" being vulnerable to malware, you can always keep your drive securely stashed away, and only connect it once a week to do your backup.
  
  The ONLY kind of calamity that such devices protect you from is accidental deletion or hardware failure.
  Which is already quite useful. Even though we like to scoff at windows users, most malware is not interested in trashing user's data, and anti-virus programs still manage to catch most malware (if one is installed).
  
  ...or catastrophic disaster (flood, fire, theft).
  ... which are quite rare compared to the more usual failure modes (hard disk failures, or accidentally deleted the wrong files).
  
  Considering how cheap Amazon S3 [amazon.com] is, off-site backups are finally a real solution for the average person.
  You've got to trust Amazon to respect the privacy of your data.
6. Re:Backups by Cato · 2010-12-03 00:57 · Score: 4, Informative
  
  Antiviruses catch only a declining percentage of malware, so you can't rely on them - see http://en.wikipedia.org/wiki/Antivirus_software#Effectiveness which shows that even in 2007 the average percentage caught was about 50%. Various independent tests confirm this, particularly for zero-day viruses (i.e. you must rely on heuristics in the AV product, not signatures). In 2007, 23% of infected PCs had up to date antivirus: http://www.pandasecurity.com/infected_or_not/ and http://www.pandasecurity.com/infected_or_not/panda_security_research/
  Even when there is coverage for a specific virus/trojan, highly polymorphic ones are often not caught - for example the Zeus banking trojan, which steals from bank accounts while hiding the illicit transactions and resulting balance from the user, is missed in 77% of cases - http://www.darkreading.com/security/article/220000718/index.html
Encryption by flyingfsck · 2010-12-02 19:26 · Score: 3, Funny

All my data is already encrypted you insensitive clod!

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Allright, bring back the Slot Machines of DOS! by Anonymous Coward · 2010-12-02 19:28 · Score: 5, Funny

I remember back when I was running MSDOS 5, and at first Bootup it cut to a screen with a Slot Machine that said it was a Virus holding my MBR and File Allocation Table ransom until I get such and such combination after I pull the Arm. It also said if I tried to turn-off the computer, then all my data is already gone unless I got the sequence in this game to restore my MBR and FAT.
Needless to say, I left the computer on all day and drove to my grandmother's Insanitarium/Old-Folk's home and said I didn't come visit these past 10 years because I've always given her bad luck and now I need her more than ever. She stopped taking her pills, said goodbye to the trees and bushes and pigeons as I walked her to my car, and upon arriving at my desk she knew exactly what to do: she pulled-out her vile of lipstick, puckered some on her mouth, and gave the computer screen a kiss. She was insane again.
Fuck you Slot Machine! I pulled the Arm, and I won back my MBR and FAT. I told my grandmother she could walk back home, and so I gave her $10 to buy some cigarettes and lunch, and I and her Retired-Living Facility have never seen her since.
Ok, a question or two by Weaselmancer · 2010-12-02 19:35 · Score: 5, Interesting

The whole point of these malware authors is to ransom data for cash, right?
How the hell do they get paid? And if that is an answerable question, that brings question number two.
Why the hell can't the law find them?
There would be a money trail of some sort. The money has to go from victim to the criminal. That is traceable.
Isn't this really just a gigantic "kick me" sign?

--
Weaselmancer
rediculous.
1. Re:Ok, a question or two by ArsenneLupin · 2010-12-02 21:02 · Score: 3, Insightful
  
  How the hell do they get paid?
  ... and this is the Achilles heel of just about every ransom ploy. Most kidnappings for ransom fail at the "money handover" stage.
2. Re:Ok, a question or two by Monkeedude1212 · 2010-12-03 03:35 · Score: 3, Informative
  
  Ok, great. I'm like the guys in Office Space who don't know how to launder money.
  So. Wanna illuminate me or are you satisfied with being merely cryptic?
  The thing is that most of these sites will ransom you for your credit card info to make the payment, its almost never just the amount they claim that they want to steal from you.
  So you go to their website and enter the info. They return your data. They go and they use your credit card to make a deposit to a paypal account that they've hacked - its not actually one of theirs its of an unsuspecting victim. They run the money through a couple of those, whose purchasing history is actually protected so the cops need a warrant to search through it - which will often just put the wrong person under suspicion.
  Eventually they run it to an account outside of the US's Jurisdiction.
No data is actually encrypted..... by Skellbasher · 2010-12-02 19:47 · Score: 5, Informative

Fortinet did an analysis of this. http://blog.fortinet.com/all-your-drives-are-belong-to-us/ It simply backs up the partiton table and rewrites the MBR. It's fixable without paying the ransom.
Fixable possibly, but be careful anyway... by SuperKendall · 2010-12-02 20:04 · Score: 4, Interesting

I'd feel a little better about the proposed solution (let a disk utility recover the partitions) if they had actually tried a disk utility to see if it could in fact find the partitions and restore them. It does seem like it should work... and copying that thing back by hand is not a task I'd take on lightly with anyone's data but my own.
Also wouldn't the thing that messed up the MBR in the first place still be in your Windows installation? I didn't see that they tried to boot from that drive after repairing the MBR. It could be the ransomware is just waiting for you to reboot and will do something nasty if you've not entered the password. It seems like even after a recovery you should take the drive to a different system and back it up immediately before you tried to boot from it again, but they do not mention that.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1) 2) 2) -- They can't count to three by PatPending · 2010-12-02 20:07 · Score: 3, Funny

Funny how these crooks can write ransomware but they can't count to three: 1) 2) 2)

--
What one fool can do, another can. (Ancient Simian Proverb)
Who would trust them? by kasperd · 2010-12-02 21:16 · Score: 3, Insightful

Who would actually trust those people to give access to the data after receiving payment? What is the most profitable thing to do after somebody have paid? Give them their data back or demand more money. Granted, very few people would be stupid enough to pay twice. But even if one person would fall for that, it would mean more money to them. And people are more likely to pay more money if they can make it look like the sucker was just unlucky and they didn't intentionally fail to give the data back. For example make the browser crash at the point where it "should" have shown the password.

--

Do you care about the security of your wireless mouse?
1. Re:Who would trust them? by Opportunist · 2010-12-02 23:54 · Score: 3, Insightful
  
  Unless word gets out that you don't get your data back after paying.
  And this is the internet. The first thing people will do after this happens is painting it all across facebook and twitter.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.