With ransomware on the rise, cryptographers take it personally

The security industry is not doing enough and it's going to get worse, they said

Some of the world's leading cryptographers are concerned about the increasing number of malicious programs that hold computers and mobile phones to ransom, in many cases by abusing the encryption algorithms they designed.

Despite law enforcement efforts to disrupt ransomware operations, the prevalence of such programs continued to grow last year, according to a report published Thursday by antivirus vendor F-Secure.

A family of ransomware programs known as Browlock, which impersonates police agencies and asks users to pay fictitious fines in order to regain control of their computers, was one of the top 10 PC threats during the second half of 2014, according to F-Secure's statistics. An increase was also observed among the ransomware threats for Android phones.

While Browlock only prevents users from accessing their desktop, there are other ransomware programs that are much more aggressive and hard to recover from. These threats include Cryptolocker, CryptoWall and CTB-Locker, which encrypt users' files with strong cryptographic algorithms, making it impossible to recover them in the absence of unaffected backups or without paying for the decryption keys.

In what is almost a testament to how audacious and effective these threats are, there have already been several cases of police departments being forced to pay criminals to decrypt their files.

"I think it's a very serious problem," said Adi Shamir, co-inventor of the widely used RSA cryptosystem, when asked about ransomware on a discussion panel at the RSA security conference earlier this week. "It's going to stay with us and we need to think about new techniques to stop it."

Shamir believes that ransomware is an area where the security community failed "in a miserable way," because there are no good products to protect against it. And this is just the beginning, he thinks.

Today ransomware can affect your PC or your mobile phone, but it's only a matter of time until your smart TV and other Internet of Things devices will also be held to ransom, he said.

That time is probably not too far in the future. F-Secure noted in its report the emergence last year of a ransomware program called SynoLocker that infected network-attached storage (NAS) devices made by a company called Synology.

Most file-encrypting ransomware threats use public-key cryptography, where the data is encrypted with a public key that's part of a public-private key pair. Recovering this public encryption key from infected systems does not help, because only the private key, which attackers retain on their servers, can be used to decrypt the data.

Public-key cryptography underpins some of the Internet's most widely used security protocols including SSL/TLS and GPG.

When introducing the topic of ransomware, the RSA panel's moderator, Cryptography Research President Paul Kocher, described it as "the pure evil incarnation of public-key cryptography."

MIT professor Ron Rivest, co-inventor of RSA with Shamir and Leonard Adleman, noted that while cryptography is used mostly for good, as most technologies, it can also be used for bad.

Despite knowing this, the abuse of the RSA algorithm by many ransomware programs, makes him feel "sort of like a mother whose son was brainwashed and left to become a jihadist in Syria," he said.

The ransomware problem is not restricted to attackers encrypting other people's data, said Whitfield Diffie, one of the pioneers of public-key cryptography. In order to do pull off a ransomware attack, criminals need to first penetrate someone's computer and use some sort of exploit, he said.

Once an attacker has that level of access on a system, even if the potential data loss problem is solved, they will find something else to blackmail the user with, he said.

Another thing to point out is that the ability of ransomware creators to extort money from users depends in part on anonymous payments, Rivest said. Anonymous communications between people is essential for democracy, but the value of anonymous payments is debatable, he said.

Most file-encrypting ransomware programs require payments to be made in Bitcoin.

The abuse of encryption algorithms is certainly not going to stop cryptographic research and advances. However, it will be interesting to see if the ransomware problem will make its way into the rhetoric of government officials, who are increasingly pushing for ways to bypass encryption so that police and intelligence agencies can perform lawful intercepts.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityf-secureencryptiondata protectionmalwarefraud

More about F-SecureinventorMITNASRSASynology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts