On cracking ransomware

| Comments (4) | COMSEC
Gpcode is a "ransomware" virus that infects your machine, encrypts your data under some RSA public key, and asks you to pay money to get the decryption key. Kaspersky Labs is trying to start a project to crack the public key, which would allow them to recover the data. According to Kaspersky, they broke an earlier key because it wasn't generated securely, but it sounds like they're trying to attack this one directly. This seems pretty unscalable. Even if they do manage to factor the RSA modulus—which seems unlikely unless they gather a pretty surprising amount of computing power— whoever is releasing the virus can just create a new, longer, public key. The whole point of cryptography is to give an insurmountable advantage to the defender. That's not going to change just this time because the people using cryptography are mean.

4 Comments

It would probably be much more convenient to collect money a first time to buy the private key, and then publish it.

Buying the private key will teach a very memorable lesson: applying intellect in crime pays. Expect a version n+1 which has a new public key (they don't run out so easily) as well as lots of copycats (at least some will be good at it)

"It would probably be much more convenient to collect money a first time to buy the private key, and then publish it."

I'd be surprised if you can buy the RSA private key. I'd expect that the malware uses hybrid encryption: creating random session keys when infesting a computer. Money would only buy the session key.

You can only encrypt a message up to the size of
the prime with RSA, minus 11 bytes or so for the
particular form of padding being used.

So to be effective this virus would have to encrypt
a session key and use the session key to encrypt
your disk.

Which means that the particular symmetric encryption
algorithm being used might be a more attractive
target than the RSA private key.

Leave a comment