July 24, 2006 12:03 PM PDT
Beware of ransomware, firm warns
Hackers are using sophisticated ransomware, which is malicious code, to hijack a company's user files, encrypt them and then demand payment in exchange for the decryption key, Kaspersky Labs said on Monday. The security specialist said that the encryption algorithms used by cybercriminals are becoming increasingly complicated, foxing antivirus companies.
"There's a potential situation where antivirus companies won't be able to decrypt the files," said David Emm, senior technology consultant at Kaspersky U.K. "Within a corporation, the IT department normally backs up files. The danger is where attacks are launched at smaller businesses (without IT departments) and individuals."
Trojan horse programs can be sent out as spam or hidden on malicious sites. Once a machine is infected, files are either encrypted individually or grouped together and locked in a password-encrypted folder.
Strong algorithms such as RSA public key encryption, one of the most popular technologies, are increasingly being used by criminals to foil the decryption techniques used by antivirus companies.
Since January, Kaspersky has seen an increase in the strength, from 56-bit to 660-bit keys, of the encryption being used by hackers to lock files. "Virus writers' attitude to date is that encryption only needs to be strong enough. It's alarming that we're now getting onto the level of serious encryption," Emm said.
Kaspersky claims to have seen an increase in the amount of ransomware, but says it has not seen an epidemic. "It seems to have been escalating, but it's just one weapon within their arsenal," Emm said.
Antivirus vendor Sophos said businesses should not have a problem with ransomware, as their files will have been backed up.
"If your data is backed up, you can recover," said Graham Cluley, senior technology consultant for Sophos.
For Sophos, a bigger problem is "filenapping." Once a machine is infected, all files and information are copied and wiped from the original system. A victim must then pay a ransom to recoup their filenapped data.
Sophos said it was not seeing "a tidal wave of activity," but confirmed that encyption algorithms used are getting more sophisticated.
Last month, the U.K.'s Greater Manchester Police decided not to pursue the criminals who used a Trojan horse program called Archiveus to lock a Rochdale woman's files and demand a ransom to release them.
Tom Espiner of ZDNet UK reported from London.