Malicious software (such as computer viruses, worms, etc., known as “malware”) is often a problem for computer users and the antivirus service providers constantly deal with new threats. One type of new threat that is currently causing problems for users is termed ransomware.
As its name implies, ransomware is a class of malware which restricts access to the computer system that it infects, and often requires that a ransom be paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the computer's hard drive, while others may simply lock the computer; in any case, the ransomware displays messages intended to convince the user to pay the ransom. Apparently, ransomware is a new way for cybercriminals to defraud computer users after the decline of fake antivirus software. According to antivirus service providers, ransomware is one of the top security threat predictions for 2013 and the number of instances of ransomware continues to increase dramatically since 2011.
Basically, ransomware can be classified into two categories: encrypting ransomware and non-encrypting ransomware. Encrypting ransomware encrypts personal files on the hard drive. More sophisticated ransomware malware may encrypt the victim's data with a random symmetric key and a fixed public key. By design, the malware author is the only one who knows the necessary symmetric key or private decryption key. The malware author is then in a position to demand a ransom, and, in some cases, even if the victim pays money to the cybercriminal the cybercriminal may not decrypt the hard drive. It can be a disaster for a computer user to lose years' worth of data, pictures and files. The situation can be much worse for an enterprise if the malware encrypts all of the data that employees need to access on a corporate network.
The most notorious ransomware to date is “GpCode.” For example, the malware “Trojan-Ransom.Win32.Gpcode.bk” (a Kaspersky detection name) encrypts all user files having dozens of extensions. The malware encrypts documents, pictures, archives, database source files, source code and HTML pages. All valuable data on a computer will be unusable. The latest Gpcode variant generates an AES 256-bit key and uses the criminal's public RSA 1024-bit key to encrypt the AES key. Without the private key, it is nearly impossible to decrypt the encrypted files.
Current technology used to combat ransomware involves techniques used after the encryption has occurred. For example, for ransomware that uses a custom encryption routine, one antivirus service provider provides special software tools to decrypt the files after hacking into the encryption routine in the virus body. In addition, if the malware creates a new encrypted file in a different location and then deletes the original file, it is sometimes possible to recover the original file with disk recovery tools such as “PhotoRec.” Unfortunately, with the evolution of ransomware and its use of stronger and stronger cryptography, it can be impossible to decrypt the files after infection.
Thus, most all of the current techniques rely upon recovering from the ransomware infection. But, the user's data cannot be recovered if the cryptography is strong. Relying upon periodic backup of files is often not practical because not all users will perform this task. And, in some cases, users backup their files on the same hard disk or backup files on a separate hard disk which may also be affected by the malware. Accordingly, new techniques are desired that can effectively combat ransomware.