Wednesday, June 18, 2008

Gpcode and the "Long Tail" of Ransomware

Many years ago, when I used to work in parts of the world that were considered unsafe (e.g. Washington D.C.), I was sent by my former employers to a day course on "kidnapping and ransom insurance" so I would know what to tell my abductors if I were ever bundled into a stolen SUV, tied up with coarse ropes, and held for ransom in a damp basement somewhere.

(Note to any would-be potential kidnappers - the policy I'm referring to above lapsed over a decade ago. Please take me off your list.)

Aside from the surge of vanity that came over me at the thought that I might be of value to a kidnapper, one of the other things that struck me as strange during this briefing was that their instructions went against everything I'd ever seen in a movie.

In fact, what my instructors advised me to do was this: be boring. Do *not* try to be a hero and/or try to escape (this was, according to them, when most injuries/deaths happen). Tell the kidnappers the dollar amount you're insured for - and hand them the phone number of your insurance company (this was conveniently printed for me on a plastic-coated, wallet-sized card).

I was to do zero negotiating myself - they were adamant about this. It was critical to tell the kidnappers the correct dollar amount. It needed to match the dollar amount the kidnappers would hear upon calling the insurers.

According to these guys - who, despite the apparently exciting nature of their work, were insurance salesmen - having this "fixed value" would be helpful in reducing the time in captivity and the phone number/trusted party would keep me alive.

Not only would it reduce the "back and forth" of negotiations, and allow everyone to get back to a happy place (i.e. home/the jungle) faster, it would reduce the possibility of a "long tail" - which is the (belated) subject of this blog.

What is the "long tail", in kidnapping terms? That's what happens when your distressed wife empties out your bank accounts, then drives to the alloted meeting point under the train tracks on 10th Avenue at midnight, expecting to see your bloodied and battered face in the headlights - only to be told by the kidnappers "we want more".

I could keep telling this story, but you can probably see where this is going. The first demand was simply the start of a very long process of wringing every last dollar out of the "channel" - in this case, the distressed spouse, her family, your family, your employer. This, dear reader, is the "long tail" of kidnapping. And this is unfortunately is what also occurs in the kidnapped home computer version of our story.

By now, everyone has probably heard of "ransomware" - the kind of virus that somehow gets onto your c: drive, encrypts your data using terrorist-grade encryption, then asks you to buy a "key" to unlock it.

Failure to buy the key, the hackers warn, will cause your data to be "publicly released" (almost always a bogus claim, because they don't have the server space to store your 80 gigabytes of downloaded videos, along with everyone else's).

Alternate claims include the threat that your personal data will be permanently deleted on date "x" (also bogus - because most of these programs don't include a "delete" function), or rendered "permanently inaccessible" (unfortunately, probably true).

You may have also heard via the media that there is a new version of this form of malware, identified last week by Kaspersky as the "Gpcode.ak virus", that will wrap your personal data up into a ball and then encrypt it using a 1024 bit key.

How much encryption is 1024 bits? A lot. The government standard-length key used by your browser to encrypt transactions is billions of times easier to crack. In fact, the largest number that has ever been factored by anyone was this number, and according to several experts, that outcome has been achieved precisely once.

What this all means is that unless you can get you hands on the key (or find some flaw in the implementation of the encryption mechanism, which is what Kaspersky is attempting to do, in partnership with other security firms), your data is staying locked up. Which leaves you with a stark choice: Either give up on your data permanently, or pay the ransom demanded by your kidnappers.

My advice? Do *not* pay the money.

Yes, I know - this contradicts my opening story. But in the real world example that I provided above, an entire industry has gone to work to understand the myriad factors at work when a real-world kidnapping is committed, and has determined that the best course of action is a one-time payment, negotiated via experts, and executed via a trusted party.

In the case of ransomware, or the kidnapping of your computer data, no such trusted party exists, and there is no guarantee that the first payment isn't simply the start of a "long tail" that could get extremely ugly.

How long? How ugly? Well let's look first at the payment mechanism - do you really want to give these hacker/ransomware guys a credit card? Do you really think they'll just ding it once and send you a receipt? Of course not.

Sure, you could potentially bypass that problem by using a debit card purchased from that nice lady at the mall - and you could potentially have them send you the key to a free email account you'll use only once - but what if they send you an executable? Do you think it will just install and magically unlock all that personal data that has been sewn up and then uninstall and you'll never hear from the hackers ever again?

Talk about a "long tail" - when I think of all the possible things that their "data unlocking" executable might include, and could do to your credit, your bank accounts, and your PC over time (please see yesterday's post on Man in the Middle attacks for one example), it makes buying a new PC look like a cheap option.

Which brings us to the happy ending: the reason that ransomware has yet to become a plague on the computing subset of humanity is that most folks, by the time they get set to enter their credit card or unlock their data using the "unencrypt" package they just received via Hotmail, have cycled through the above options, made the right call, and said "goodbye" to their data.

That's what you should do too.

ADVICE #1: PC users have one excellent option available for thwarting potential hostage takers that unfortunately doesn't exist in the real world: it's called "data backup". If you haven't already reached for your backup drive after reading this, now would be an excellent time to do so. One backup a day, and you'll never feel like a victim. Easy.

ADVICE #2: Since I wrote this, Kaspersky has posted a happy ending of their own - a free utility based on Christophe Grenier's PhotoRec utility that Kaspersky claims will restore data and file paths erased by Gpcode. You can get it here. Kaspersky suggests that users who have suffered from Gpcode donate to the author of the PhotoRec utility rather than pay cybercriminals. I agree.

Note: Don't count on this fix working the next time - it is going to get harder as the Gpcode versions get higher. Back that data up!

ADVICE #3: A final piece of advice: make sure your browser disallows "drive-by downloads" - or downloads from unknown or non-trusted sources - so you can avoid getting hit by Gpcode and its clones at the outset. The best solution in this area is Authentium's very own SafeCentral.

No comments: