Ransomware is a type of malware that uses a weak (breakable) cryptosystem to encrypt the data belonging to an individual, demanding a ransom for its restoration. A cryptovirus, cryptotrojan or cryptoworm on the other hand employs a military-grade hybrid cryptosystem to take data hostage (the field known as cryptovirology predates the term "ransomware").
This type of ransom attack can be accomplished by (for example) attaching a specially crafted file/program to an e-mail message and sending this to the victim. If the victim opens/executes the attachment, the program encrypts a number of files on the victim's computer. A ransom note is then left behind for the victim. The victim will be unable to open the encrypted files without the correct decryption key. Once the ransom demanded in the ransom note is paid, the Cracker will (supposedly) send the decryption key, enabling decryption of the "kidnapped" files. However, if the decryption key is in the file/program then it can be extracted and used without contacting the attacker. This is the case in any such malware that relies on symmetric cryptography alone.
There have been a few malware attacks in the past that have done this. The 1996 IEEE paper by Young and Yung [YY96] reviews the malware that has done this, points out the fatal flaw which is the reliance on symmetric cryptography, and shows how to use public key cryptography to solve this problem (that the attacker faces). [1]
A cryptovirus, cryptotrojan, or cryptoworm is defined as malware that contains and uses the public key of its author. In cryptoviral extortion, the public key is used to hybrid encrypt the data of the victim and only the private key (which is not in the malware) can be used to recover the data. This is one of a myriad of attacks in the field known as cryptovirology.
Since May 2005 malware extortion attacks (that encrypt or delete data) have been appearing in greater numbers. Examples include Gpcode (many variants: Gpcode.ac, Gpcode.ag, etc.), TROJ.RANSOM.A., Archiveus, Krotten, Cryzip, and MayArchive. It is said that Gpcode.ag utilizes a 660-bit RSA public modulus. Crackers appear to be either rediscovering cryptoviral extortion or, perhaps more likely, reading the cryptographic literature on the subject |
