The Dark Side of Data Encryption – Ransomware

Posted on September 13, 2013


Those of you who have heard me speak and read my earlier articles on the subject of Data Security ‘Data Security – It’s in the Name!‘ will know my advocacy of encryption as the realistic future for data protection. But following the recent Cryptolocker outbreak of Ransomeware I feel it prudent to highlight the challenge with encryption when it goes wrong.

The downside of encryption can be summed up in the form of:

  1. Losing your means to decrypt what you have encrypted. Such as losing a security token which can take many forms from a password, digital certificate, PKI (Public Key Infrastructure) or rights managed solution.
  2. Having data maliciously encrypted, which is often then held to ransom.

Point 1 is the equivalent of losing the key to your house. The only problem is unlike a house where you can break in and replace the lock well encrypted data is often night on impossible to recover.

Point 2 is Data Kidnaping, albeit you still have the encrypted packets of data, you are deprived of access to that data pending payment of a ‘ransom’. As in any good Hollywood kidnap film if the ransom is not paid within a timescale then you pay the forfeit. As with hackers today this all looks frighteningly professional as you can see from the screen below, I hope you never get to see this for real…..

In the case of encrypted data the hackers ransomware deletes the digital keys that are used to encrypted/decrypted your data. There is no point in looking for the keys on your system either as these keys are held on ‘command and control’ servers in an unknown and untraceable location on the internet.

The worrying dimension here is you cannot guarantee that paying the ransom will work either!

As for cracking the encrypted data, well good luck, as you can see in the screen-shot above the hackers are using a VERY strong RSA encryption algorithm that in the absence of a quantum computer you are unlikely to break in your life time.

So pay the money and follow the cash I hear you say. Nice one Inspector Poirot, but we are living in an age of digital currency such as Bitcoin, UKach or any one of a number of anonymous online payment channels that make that a futile exercise if you’re not the NSA (National Security Agency of the US). I would not bother calling them, they are in lock down after their own snooping program ‘PRISM’ has gone prime time. PRISM stand for “Planning Tool for Resource Integration, Synchronization, and Management,” and is a “data tool” designed so the NSA can collect and process “foreign intelligence” that passes through American servers.

So how do you get hit by one of these? Well IF you are running up to date credible COMMERCIAL grade anti-virus software such as Sophos or Microsoft InTune, McAfee then these should prevent the ransomware even installing and you should be safe. Aside of which you should NOT be clicking on unfamiliar emails and or their attachments. . IF you are stupid enough to click on an attachment from a source communicating under the pretext of delivery or orders you did not place, common ones are fake FedEx, Amazon or UPS delivery confirmation emails, then you should not expect too much sympathy.

I’m afraid this story has no happy ending. There is no remedy. IF you do get hit by this, paying the ransom does not necessarily clear your system of the ransomware, or guarantee you get your files back! Which means it could come back for more. There are manual protracted ways of removing it, guides abound on the internet, but my advice would be to back-up your data and do a clean installation of your OS. For the simple reason that if you have been in the habit of clicking on these types of email attachments then you are likely to have a host of other pieces of malware on your system and a clean install will mean a clean start.

IF you do a clean install, PLEASE make sure you are running an up to date commercial anti-virus software solution as noted above BEFORE you copy your data back onto your system. Copying your data back onto a clean system can simply re-contaminate a PC IF the data is not scanned actively as it is written back to the PC to validate it is clean.

Cryptolocker is not the first of its kind but is the biggest headline grabber to date heralding a new generation of trouble for users and in so doing demonstrates the power of encryption to both protect and deny.

UPDATE 22nd October 2013

Cryptolocker is causing headaches for corporate collaborations systems and cloud storage users. Where they though data was safe and backed up, it is proving not to be safe, so make sure you backup OFFLINE.

What this means is any drive mapped to a workstation from any remote file server, cloud storage resource such as iCloud, DropBox, SkyDrive etc or content management systems such as Documentum, Google Docs, Salesforce or SharePoint are exposed to having content encrypted and at risk as noted above.

I am aware of a few systems administrators and other ‘bold’ users of content management systems who map drives at the top (root) level of their information hierarchy for administrative and management purposes. This could have worrying repercussions IF that workstation was hit by such ransomware. Time to reflect on those access rights restrictions to use case needs and lock it down boys!

Make sure your antivirus is up to date and your email service provider is using credible and up to date email spam filtering solutions to help prevent such malware getting to your in box, and I repeat BACKUP often and OFFLINE, or at least to a disconnected external cloud storage locale.

Finally, PLEASE uninstall JAVA or at least disable it! JAVA is the biggest risk surface for these types of attacks, it is woefully full of security holes and has more exploits than any other form of code technology. See my earlier Blog on the subject ‘Oracle puts JAVA users at risk’ and the independent white paper titled The Most Dangerous Code in the World

For more information references and articles: