Gpcode is a "ransomware" virus that infects your machine, encrypts
your data under some RSA public key, and asks you to pay money to get
the decryption key. Kaspersky Labs is trying to start a
project to
crack the public key, which would allow them to recover
the data. According to Kaspersky, they broke an earlier
key because it wasn't generated securely, but it sounds
like they're trying to attack this one directly.
This seems pretty unscalable. Even if they do manage
to factor the RSA modulus—which seems unlikely unless
they gather a pretty surprising amount of computing
power— whoever is releasing the virus can just
create a new, longer, public key. The whole point of
cryptography is to give an insurmountable advantage to the defender.
That's not going to change just this time because the people
using cryptography are mean.

# On cracking ransomware

#### Categories:

## 4 Comments

## Leave a comment

### October 2012

S | M | T | W | T | F | S |
---|---|---|---|---|---|---|

1 | 2 | 3 | 4 | 5 | 6 | |

7 | 8 | 9 | 10 | 11 | 12 | 13 |

14 | 15 | 16 | 17 | 18 | 19 | 20 |

21 | 22 | 23 | 24 | 25 | 26 | 27 |

28 | 29 | 30 | 31 |

It would probably be much more convenient to collect money a first time to buy the private key, and then publish it.

Buying the private key will teach a very memorable lesson: applying intellect in crime pays. Expect a version n+1 which has a new public key (they don't run out so easily) as well as lots of copycats (at least some will be good at it)

"It would probably be much more convenient to collect money a first time to buy the private key, and then publish it."

I'd be surprised if you can buy the RSA private key. I'd expect that the malware uses hybrid encryption: creating random session keys when infesting a computer. Money would only buy the session key.

You can only encrypt a message up to the size of

the prime with RSA, minus 11 bytes or so for the

particular form of padding being used.

So to be effective this virus would have to encrypt

a session key and use the session key to encrypt

your disk.

Which means that the particular symmetric encryption

algorithm being used might be a more attractive

target than the RSA private key.