Ransomware
Ransomware are malicious programs obtained with the help of an intruder an access or block the use of data as well as the entire computer system. However, private data is encrypted on a third party computer or access to it is prevented to ask for decryption or release a " ransom ". Your name is made up of ransom, the English word for ransom, and would, according to the usual for different types of computer programs naming scheme (software, malware, etc.). In the second quarter of 2012, there were loud child Sight Security about 123,000 new variants.
History
The idea goes back to the year 1989 when the pest AIDS TROJAN DISK using an infected floppy disk encrypted data. The author of this pest could be transferred and was sentenced to a prison term. One of the first attacker who ransomware for distribution via the Internet began, is the Trojan TROJ_PGPCODER.A for whose decryption several hundred dollars were demanded.
In polizeilichem Crime Report 2011 State of Saxony- Anhalt, a case is exemplified. One attacker has infected 831 computer in this state with a blackmail software.
Meanwhile, paid and free modular systems, so called crimeware kits, surfaced in underground forums, with the help of ransomware can be created.
Approach of the pests
Ransomware can pass through the same channels as a computer virus on a computer. These paths include groomed e- mail attachments such as Trojan horses, which are sent by means of computer worms that exploit vulnerabilities in web browsers or the lack of a firewall.
For example, e- mails are sent that claim in the appendix a zip file containing an invoice or delivery note goods ordered. Alternatively, it is claimed, the BKA, the Federal Police, GEMA or Microsoft have found evidence of illegal activity on the computer and this locked then.
The infected computer can be blocked in different ways. Simpler and more harmless blackmail express themselves only in a hint window that appears at each regular Windows start and can not be closed. Also, the Task Manager is blocked. Inexperienced PC users do not know how to end this blockade. There seems to be only way out is to pay the ransom by a Paysafecard or Ukash card is purchased. The amount is credited to the blackmailer by entering the voucher number of the payment system on the infected PC, so it will be communicated electronically to the perpetrator. The amount can be discharged from it.
Especially malignant variants of ransomware have a greater damage potential: In most cases, letters, invoices and other documents created with Office applications that reside on Windows systems usually in the folder "My Documents", encrypted. Basically, as the target all the files in question, which have a high importance for the owner of the computer and are not wiederbringbar, including, inter alia, e-mails, databases can, archives and photos count. These files will be encrypted so that the user does not have access to their content more. Unlike spyware here is not a large amount of data to be moved. Usually ransomware clears after encrypting the files themselves to complicate the analysis of the pest.
To regain access to encrypted by ransomware data, the damaged user is prompted by the intruder to send an e -mail to a specified e - mail address, visit a web page or fill out a form mask. In all cases, a software for decryption or sending me the required password is promised, what must be done before a payment. Frequently threaten the criminals that after contact with the police, all data would be destroyed. To the victim to take the opportunity to get help on the topic of information security from the Internet, there may be tampering with the hosts file, so that access to such websites is significantly restricted.
In some cases, the ability to decrypt the encrypted files of the attacker is not provided, so that these files are lost forever, unless backup of encrypted files exist.
A - from the attacker's point of view - critical disadvantage of ransomware is the contact with the victim for ransom and payment. This can be done via the Internet, for example via online payment services such as PayPal or Ukash. However, it may be easy for government enforcement agencies, to disable the recipient's account and to identify the account holder.
Advice for victims
Although, according to a survey about a quarter of the victims would pay a ransom, advises the Federal Office for Security in Information Technology (BSI ) in cases not responding to the demands. Even after payment of the ransom was not sure whether the data would actually decrypted. Moreover, since the willingness to pay of the victim would be identified, additional claims can not be excluded. In case of payment by credit card the perpetrator beyond other private information would be accessible.
Protection and countermeasures
Important data should be backed up at regular intervals to external media such as CD -ROMs or DVDs, which ransomware can not gain access. Such a backup also protects against other causes of data loss such as head crashes as the cause of failure of hard drives. Although these precautions may not provide protection against blockage of the computer system by ransomware, enable the person concerned or at least to restore the previously backed up data after a Neuaufzusetzen the system.
The pest TROJ_PGPCODER.A uses a very simple encryption, which can be reversed without a program of the blackmailer. Subsequent versions use part significantly stronger encryption method such as RSA, currently and in the foreseeable future not to crack. Therefore, it is advisable to take preventive measures to prevent ransomware. These include the operation of an up to date to be held anti -virus software, avoid the application and work with administrator rights and the continuous updating of the operating system and web browser used. In addition, e- mail attachments from unknown senders should have a healthy distrust be placed on and these should be deleted unopened.
For the period from 2011 until February 2012 widespread malicious programs only access to the data is prevented, but there is no encryption instead. Commercially available anti- virus programs can easily remove some of these pests. This free programs, such as MBAM or Avira are sufficient so that no financial loss must occur.