Adam L. Young and Moti Yung write this month in Communications of the ACM about their research from the 1990s, which developed the concept for what they called “cryptovirology” [1]. This is, of course, what we now call “ransomware”. These folks described the “business model” for ransomware very precisely circa 1997, including the use of electronic money.
As they comment, at the dawn of the Internet, they imagined and described in detail the fundamental technology that is used in “ransomware”. They say that this was a mashup (a term that barely existed in 1997!) of malware with public key cryptography, an innovation which few people had thought of at the time. (Evidently, they also had graphic images in mind from the original Aliens film. Whether this has much to do with the technology, it certainly sets the mood for the grim business of life-sucking infestation.)
The researchers make the interesting point that this is one of the first cases where cryptography has been used as an offensive weapon. Most uses of cryptography are purely defensive, and cryptanalysis aims to penetrate the defenses. Ransomware uses cryptography to inflict devastating damage.
The paper describes the interesting asymmetrical nature of the malware attack:
“We discovered that public key cryptography holds the power to break the symmetry between the view of an antivirus analyst and the view of the at- tacker. The view of the antivirus analyst is the malware code and the public key it contains. The view of the attacker is the malware code, the public key it contains, and the corresponding private key. The malware can perform trapdoor one-way operations on the victim’s machine that only the attacker can undo.” ([1], p. 25)
They also warn that today’s splashy ransomware attacks are the tip of an iceberg of possible mischief, There are a variety of attacks that can be made with this approach, most of which is completely undetected by conventional defenses. A glance at the design of Stuxnet and other NSA tools will give a flavor of what kind of covert subversion might be possible.
These scary warnings aren’t accompanied by any simple solutions. (Well, ‘don’t use Microsoft Windows’ is probably good advice, in general.)
I note that much of current security research is irrelevant or even helpful to ransomware attacks. Faster computers and stronger cryptography will only make ransomware even more powerful and dangerous. PKI has become ubiquitous for routine protection, but it is also the key to ransomware. Distributed ledger systems enable secure digital money (e.g., Bitcoin), but this is also the perfect payment system for extortion. “Every exit is an entrance”, as they say.
This is a neat article by some legit pioneers.
- Adam L. Young and Moti Yung, Cryptovirology: the birth, neglect, and explosion of ransomware. Commun. ACM, 60 (7):24-26, 2017. https://cacm.acm.org/magazines/2017/7/218875-cryptovirology/fulltext
Adam L. Young, Moti Yung, Cryptovirology: the birth neglect and explosion of ransomware
Robert McGrath's Blog 