The first ransomware
A Cryptovirus?
Often mistakenly called a "cryptovirus," these are actually “Trojan horses.” A Trojan horse is a software or file (such as an invoice in PDF format) that appears legitimate, but actually contains a hidden malicious function inside the file or software.
In this case, the hidden malicious function is ransomware. The Trojan horse simply acts as a discreet carrier for the ransomware.
As the name suggests, ransomware is a type of software designed to enrich its creator (the hacker). To achieve this, the hacker uses the ransomware to encrypt all your data using RSA encryption. This encryption renders your files unreadable. This type of ransomware is known as a crypto-locker. So we are dealing with a Trojan horse that contains a crypto-locker type of ransomware.
How It Works
Once installed on your Windows or Android operating system, the crypto-locker communicates with the hacker’s server. The server or computer generates a pair of keys: a “private key” stored on the server, and a “public key” stored on the infected PC. Your files are encrypted using the public key. In order to decrypt your data, you need the private key stored on the hacker’s server. This is the basis of the ransom demand.
Once encryption is complete, an information file is created in each directory. This file usually contains an identifier so the hacker can recognize your computer to return the private key, the amount of ransom demanded, and the method of payment — typically in bitcoins. To pressure you into paying quickly, you are given only a few days to pay before the private key is deleted or the ransom amount increases significantly.
The First Crypto-Locker
The first known crypto-locker, CryptoLocker, was discovered by Dell SecureWorks in September 2013. It spread via an existing botnet called Gameover ZeuS.
A botnet, short for “robot network,” is a network of computers infected with discreet malware. The owners of infected machines are usually unaware of the malware running silently in the background. These infected machines communicate with each other and with remote servers. Hackers can control them to spread viruses, send spam, launch denial-of-service attacks, and more.
The Gameover ZeuS botnet, estimated to include between 500,000 and 1,000,000 machines, was responsible for distributing the first crypto-locker.
A Russian Hacker
 |
The Russian hacker Evgeniy Mikhailovich Bogachev is believed to be behind the Gameover ZeuS botnet. He is also thought to be the mastermind behind the first crypto-locker. Through his malware campaigns, he fraudulently obtained over 100 million dollars. He has been actively wanted by the FBI for several years. The $3 million bounty placed on his capture speaks volumes about the urgency to bring him to justice. The botnet managed by Bogachev was permanently shut down in May 2014 during a major international police operation known as Operation Tovar. This effort was made possible thanks to the collaboration of various agencies and private companies worldwide. The discovery of key servers allowed researchers to uncover encryption algorithms, leading to the development of decryption tools. |
Bogachev on the Run
According to The New York Times, the creator of the first crypto-locker is currently in Russia, where he is far from living in hiding. In fact, he reportedly enjoys a lavish lifestyle with luxury cars and yachts. The FBI believes Russian authorities tolerate his presence because he allegedly works with the country’s intelligence services. It’s likely the Kremlin is turning a blind eye to Bogachev’s criminal past.
What to Do If You're Infected?
Some crypto-lockers can encrypt data stored in your cloud, on external backups, and on your NAS. They may also delete Windows restore points to prevent recovery of unencrypted data.
The best solution is to shut down your computer as soon as you detect encryption activity. To recover unencrypted data, you can use a LiveCD, which allows access to your files without letting the malware continue to run and encrypt more data.
Needless to say, paying the ransom is not recommended. Paying only encourages further attacks and offers no guarantee that you'll receive the correct private key — or any key at all.