Hilarie Orman writes about the history and design of ransomware, which she characterizes as the “evil offspring” of crypto technology.
“The reality of today’s software is that the defenders have all too large an attack surface.” (, p. 89)
The combination of public key cryptography and Bitcoin have created a perfect medium for denial of service attacks: malware encypts some or all of the files on a computer, disables backups, and demands payment to release the system.
Public key cryptography provides a simple and safe (for the attacker) way to manage the encryption keys that are the weapon. And Bitcoin or other cryptocurrency offers a simple, fast, and safe (for the attacker) way to receive the ransom.
Ta daa! Congratulations, we’ve invented a new crime!
Orman continues with an authoritative explanation of how ransomware works. (Not that it is all that complicated.) Besides achieving an initial infection, the main engineering challenge is to be able to encrypt enough of the target system quickly enough This leads to a trade off between key management and encryption speed, and different attacks may choose alternatives.
Bitcoin is by far the preferred payment method (though various anonymous cryptocurrencies may become popular). The digital currency can easily obtained by the victim, and can be laundered very quickly to effectively shield the ultimate recipient.
The Bitcoin blockchain can be used to deliver some of the transaction as well, such as the public key that identifies the victim. In the near future, we may well see “smart contracts” embedded in blockchains that implement ransom payments and the return of recovery keys.
Note that the use of public blockchains means that anyone who has a copy of the blockchain—basically anyone using Bitcoin—has possession of evidence of a crime. This is a technical violation of may contracts and terms of service.
Worse, anyone who participates in the validation of the blockchain is unwittingly actively aiding and abetting a crime. Miners who profit from these transactions are profiting from criminal activity. In some jurisdictions, this is sufficient grounds for police to impound the computer.
Ormon points out that mobile devices and the Internet of Things are vulnerable to these attacks, at least to some degree. It seems clear that we can look forward to the day that our toaster and refrigerator fail, presenting a blue screen demanding ransom to return them to service. I can hardly wait.
As far as defenses are concerned, there aren’t many. Backups are vulnerable because the malware knows all about backups and seeks to subvert them. Only the most paranoid offline backup plans are likely to resist a determined ransomware attack, and that is painful and expensive to implement.
Other preventive measures (strong authentication, firewalls, good channel encryption, etc.) may reduce the probabllity of initial infection, but have little impact on an attack once in progress. Relying on “the cloud” may help, but only if the service provider has substantial defenses. Only if your local systems have nothing of importance on them that isn’t safely stored elsewhere, you have little to fear from ransomware.
Ransomware is vulnerable to counterhacking as much as any software, especially when deployed hastily by less knowledgeable criminals. (The availability of “kits” means that it is possible to purchase the capability to attack without any deep knowledge of the procedures.)
“But most people don’t have the luxury of doing without their data while the experts investigate. Paying the ransom michg et the only practical solution.” (p. 93)
Mostly, we ordinary users are SOL for now. She suggests some enhancements for future systems (starting with wiping out attacks via email attachments), but some of them sound rather exotic and not necessarily coming soon.
This is an excellent article, well worth reading.
- Hilarie Orman, Evil Offspring – Ransomware and Crypto Technology. IEEE Internet Computing, 20 (5):89-94, 2016. http://ieeexplore.ieee.org/document/7676160/