Cryptolocker, a particularly vicious form of malware that first appeared in September 2013, is a game-changer. After getting into your computer, it will encrypt all your data files, from your word documents to your photos, videos and PDFs. It will then ask for a ransom of around $US300 or 0.5 bitcoins to get them back. It has been one of the most commented developments in computer security circles in recent times, and copycats are appearing.
Lock picture from Shutterstock
Criminals have been trying to make cryptoviruses of this kind work effectively for decades, but only now have they got it right. You can take some simple steps to protect yourself, but this threat is going to grow globally for some time.
Far from being a surprise, the arrival of Cryptolocker was easy to predict. I’ve taught cryptoviruses for more than 10 years in my lectures, and others have been aware of the threat for nearly 20 years. But Cryptolocker is the first example of the technique working on a large scale and for a sustained period of time.
From the brightest brains to your desktop
Credit where credit is due: Cryptolocker is the work of one or more criminals, who are probably netting tens or hundreds of millions in ransoms, but the original concept was fully developed in the mid 1990s by Moti Yung, a cryptography researcher at Columbia University who now works for Google, and his PhD student at the time, Adam Young.
Fortunately, criminals aren’t known for their love of academic papers so the cryptovirus proposed by Yung and Young went largely unnoticed outside the academic community for nearly 20 years.
In some ways that’s a good thing. We were spared from falling victim to this scam for a while. But on the other hand, if we’d paid more attention to these two brilliant researchers in the first place, we might have been better placed to have stopped or at least limited the damage Cryptolocker and similar ransomware has done and will undoubtedly inflict in the near future.
Until Cryptolocker, other criminals had tried in vain to produce a virus that could hold your files hostage until money exchanged hands. They were largely isolated attempts by individuals and most fell apart at the seams because the people behind them only had a passing knowledge of cryptography.
Most were epic fails and could hardly even be called cryptoviruses. The AIDS trojan, CryZip, Skowor and Arhiveus are all examples of attempts to produce a virus that could hijack a computer’s files but all achieved only limited success because the brains behind them didn’t quite make the grade. More technically, they didn’t use public key encryption so they were all easy to reverse engineer in order to extract the key without paying.
The first real threat was the PGPCoder/GPCode family of cryptoviruses. The author behind this malware updated it every time antivirus companies announced a breakthrough, using trial and error to stay ahead of the game.
The authors of Cryptolocker, on the other hand, seem to have got the recipe right the first time. That would suggest they are well-educated people who are versed in cryptography. But even these smart cookies don’t appear to have read the papers produced by the Columbia researchers since they haven’t implemented the virus in exactly the way Yung and Young suggested.
A recent survey of just over 1500 UK computer users showed that 3.4 per cent said they had been affected by the Cryptolocker virus, suggesting that many more people than expected could have fallen victim. Of those who had been affected, a shocking 41 per cent claimed to have paid the ransom.
If these figures play out across the general UK population, we are looking at a multi-million pound operation — one of the most successful of its kind.
Bitcoin has played an important role in Cryptolocker’s success, which might partially explain why it has thrived where others have failed. Before bitcoin, it was easier to investigate online payments. Now, with cryptocurrencies like these, ransom payments are hard to trace.
The battle continues
At least some of the ill-gotten gains secured from Cryptolocker are likely to be reinvested. The criminals behind it will likely pay for access to bigger botnets to reach a wider base of victims. Future versions of the virus will in all likelihood be more prevalent and will extend across other platforms, like smartphones and tablets.
This is the easy part though. Once you’ve got the code, infecting millions of computers is relatively straightforward. It’s making users pay that will become an increasingly challenging area for the criminals.
Let’s hope that they still haven’t wised up to use academic writings as a source of inspiration. Some of the more recent work of the Columbia duo, as well as some of the research going on at my university, would prove very handy indeed.
Convincing a customer (even an unwilling one) to pay is basically an economic problem and involves techniques that could include extortion, bargaining, price discrimination and similar classical economic techniques. All kinds of tips on how to make this work to the criminal’s advantage are out there, in economic theory. Then, there are also quite interesting examples of viruses and bacteria that have spread for millions of years continuously involved in relations with their environment that resemble blackmail. That could also help forecast criminals’ future strategies.
Back up everything
But for now there is one very simple, clear-cut action to take if you want to avoid falling into the hands of Cryptolocker. It is a highly sophisticated tool but the worst can be avoided with very simple precautions: You must regularly back up all your data. You should do it carefully, using offline backups like an external hardrive that can’t be easily accessed by malware once it has entered you system.
In the meantime, we in academia will keep working to stay ahead of the criminals, by 20 years or more.
Julio Hernandez-Castro is Lecturer in Computer Security at University of Kent. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.