Ransomware and computer blackmail viruses: a history

Following the detection of the Gpcode blackmail virus by Kaspersky Lab, we examine the history of ransomware and computer blackmail viruses.

The discovery of a computer virus that encrypts hard discs and demands payment to unlock files marks the latest step by organised criminals to extort money from web users.

Kaspersky Lab first detected the Gpcode virus, a variant of an earlier blackmail virus, last Friday.

Scientists were able to crack the earlier virus' encryption, which used 660 bit encryption, when it first emerged two years ago because the virus' author had made mistakes in the coding.

But now the virus is back with 1024-bit encryption and the author appears to have avoided any codig errors that would compromise the encryption. Scientists have been unable to crack it so far.

"Unfortunately, at the time of writing it is still not clear how the virus spreads," said Kaspersky.

A manual decryption of a 1024-bit key looks unlikely, said Guy Bunker, chief scientist at Symantec.

"Keys using 256-bit encryption can be broken in a few hours on a personal computer and keys of 512 bits have been broken in the past by using the processing power of hundreds of computers at once," he said.

The first public example of a blackmail virus is thought to be the PC Cyborg Trojan that was found in 1989, a report from researchers Young and Young suggests.

Blackmail viruses have been on the rise since 2002 as the proliferation of the world wide web for commerce and rise in digital photography have made computers a honey pot for hackers.

Examples include Gpcode, TROJ.RANSOM.A., Archiveus, Krotten, Cryzip, and MayArchive.

Bunker said that although the ransomware viruses were not unique in their inception - most up-to-date anti-virus and anti-malware packages should detect them - the dilemma it presents victims eager to recover files can mean it is more effective than other types of malware, such as keyloggers.

"The fact that hackers ask for a nominal amount like $50, and not $1,000, means victims might be more inclined to just pay the ransom and avoid the hassle of being without their files," Bunker said.

"Compared with a hacker staring at a screen of keystrokes waiting for the jackpot password to a user's online bank account, this offers a far quicker return for the hacker."

Bunker warned that paying the ransom would not guarantee that the virus would reactivate a week later and demanding further payment. Paying the ransom might further tighten the grip the hacker has on the user.

"If you pay by credit card, for example, are you really going to trust this person not to take any further action?"

He advised that users should keep some form of back up of their files, but that the storage device should be detached from the main computer to prevent the virus spreading.


Read more on Hackers and cybercrime prevention