Hewlett-Packard

Ransom Trojan Malware

The Rise of GP Code

UP612443

4/18/2013

Perry Francis

ContentsTable of Figures.................................................................................................................................2

1. Introduction.......................................................................................................................................3

2. What is Ransomware? ......................................................................................................................3

3. Ransomware Prevention...................................................................................................................6

4. Recent Example of Ransomware ......................................................................................................7

5. What is GP: Code?.............................................................................................................................8

7. Reflection of Topic.............................................................................................................................9

8. Discussion of Social and Ethical issues...............................................................................................9

9. Conclusion ......................................................................................................................................10

10. Appendix........................................................................................................................................11

11. Works Cited...................................................................................................................................12

1

Perry Francis

Table of Figures

FIGURE 1: PICTURE OF RANSOMWARE ATTACK...........................................................................................4FIGURE 2: FRAMEWORK FOR RANSOMWARE PREVENTION.........................................................................6

2

Perry Francis

1. IntroductionWhat I will be including within this report will be my research into my security related area in computing, which is going to be Ransom Trojan Malware also known as Ransomware and also a specific type of this malware called GP: Code and its affect it’s had on businesses. What this report will consist of will be a critical evaluation of the topic in hand, this evaluation will be documented throughout a series of chapters that will detail; what Ransomware is and the current issues surrounding it and its effect it can and has on businesses. I will be also including real life cases of Ransomware and the trends that Ransomware seems to follow in the cases I have included which will be from a range of different countries. I will also be giving a critical evaluation of GP: Code and exactly what it actually does and the effects of this, I will also be giving detailed analysis about the types of encryption keys it uses which are AES and RSA, I will also be including professional solutions to this type of Ransomware and how effective they really are. Towards the end of my report I will be reflecting on the decisions made in the investigation and also the limitations of what Ransomware can do. I will also be giving a discussion of relevant social and ethical related issues that are raised when it comes to Ransomware also any other relevant standards to the topic being investigated.

2. What is Ransomware? 2.1. Within this chapter I will be defining what exactly is Ransomware, what it is it’s a

type of malware also known as malicious software which is defined as “A set of instructions that run on your computer and make your system do something that an attacker wants to do.” (Edd, 2004) Ransomware however is classed as a certain type of malware called Trojan horse which basically is “software that looks like one thing but is actually something else.” (Gibson, 2011) So basically it is software that may seem like it is a legit piece of software but in fact it is malicious software that then leaches itself onto your computer.

2.2. So now having described the type of malware that Ransomware is I will know be describing exactly what Ransomware is and the intent the piece of malware has towards the user and in this case it gets pronounced as a “piece of software that exploits a user’s computer vulnerabilities to sneak into the victim’s computer and encrypt his or her files; then the attacker keeps the files locked unless the victim agrees to pay a ransom.” (Liao, 2007) The piece of malicious software that is used to exploit the user’s computer is normally used in the form of a Trojan horse as explained earlier, so the vulnerability that the attacker usually uses to impose his Ransomware on the victims computer is usually based on the victim downloading software looks like one thing but is in fact is actually malware and when the victim goes to use this program it then gets locked.

2.3. Ransom Trojan Malware can lock victims computers in a variety of ways which is defiantly an issue surrounding this topic as a different solution is needed to unblock a different message including;

“Pay $10.99 via Western Union otherwise you will keep getting this screen” (Liao, 2007)

3

Perry Francis

“One file per 30 minutes will be deleted from the hard drive. Deleted files will be restored when you have paid up and entered the proper unlock code” (Liao, 2007)

“Warning from Metropolitan Police, or other law enforcement agencies, that consumes a user’s entire screen. Warning informs users that some illegal content has been found on their computer and the user won’t be given access to their machine unless they pay the fine.” (Donohue, 2012)

Figure 1: Picture of Ransomware attack

As you can see by the figure above the user has been affected by a Ransomware attack and in this case the alleged specialist central e-crime unit has locked the computer by claiming all the activity has been recorded on the victims pc, this is also claiming that you have engaged in criminal activity which include; copyright, pornography, pornography including children under 18, promoting terrorism etc. Also as shown by the figure the fee to unencrypt the information has been set at £100. “This Trojan uses a variety of legitimate payment and financial transfer services, including; Paysafecard, Ukash” (Jawahar, 2012). It also details at the end if the fee isn’t paid in time it says it will create a criminal case against u automatically which will almost certainly scare the victim as it seems very realistic which is another issue that surrounds this topic as the more realistic this messages are becoming the more

4

Perry Francis

people are going to think they have to pay the money demanded by the attackers.

Appendix 1: Typical Ransomware attack and Function methodologies.

So here I have a selection of different Trojan Ransomware types that could attack businesses and the method that’s used to attack the victim and the ransom methods they use as you can see the growing trend in Ransomware attacks is the attacker asking for more money as time goes on as the viruses are getting more complex which will make it more difficult to find a solution in order to prevent Ransomware from taking over.

5

Perry Francis

3. Ransomware Prevention

Figure 2: Framework for Ransomware Prevention

3.1. One of the best ways I found to protect a business from Ransomware is to make sure the everyone in the business is aware of Ransomware and knows what to when facing this adversary. As you can see from the framework above “a four step framework for proactive prevention of Ransomware threats.” (Liao, 2007) So in theory this framework can adapt and work on any type of Ransomware.

Policy/procedure/regulation

This part of the framework makes sure that the business is using the minimization of Ransomware in their privacy policy information “policy with procedure is the first step in protecting corporate from Ransomware threat. It provides a guideline for inexperienced users.” (Liao, 2007)

Access control & Management To ensure that the business has good access control the following pieces of security of methods are implemented for example “The access control and management can be achieved by a centralized IT structure where multilayer prevention solutions can be efficiently managed by professionals.” This will lessen the risk of employees going on sites they are not allow because there will be blocks in place. (Liao, 2007)

Exposure Analysis and Report The exposure report which should be distributed by email or any other instant messaging service that the business uses to contact its employees and included in this should be updates to protect the businesses computer and system patches that have been implemented. There should also be instructions to work any knew features made to the systems. Also it will raise their awareness of any new Ransomware virus’s

Awareness Education and Training This part of the framework highlights and solves an issue that involves Ransomware in businesses as it “threatens to dissuade people from participating in ecommerce” (Liao, 2007) This can have a negative impact on businesses if their source of income is through e-commerce, also if customers are not confident in shopping online then their businesses will suffer as they will not get the customers they could be getting. A way that the banks could combat this will be “to educate

6

Perry Francis

customers on how to be safe and secure online.” (Liao, 2007) The employees also need training to raise the employee’s awareness, “to show employees how Ransomware induced by a security lap can directly impact them and their company.” (Liao, 2007)

4. Recent Example of Ransomware (250)

Appendix 2: Real life case involving Ransomware in an Australian medical centre.

Hear I have a real example of Ransomware affecting a medical business in Australia, in this cases as you can see by the appendix the hackers have encrypted the medical centres patients confidential files and asked the centre to pay out 4,000 Australian dollars in order to decipher the files this certainly creates a definite ethical issue as you wouldn’t think that anyone would hold a medical centre to ransom. Also as the owner said “there's no sign of a virus. They literally got in, hijacked the server and then ran their encryption software.” (Wood, 2012) What this brings into question is how exactly the hackers gained access was it through an employee downloading something they shouldn’t be? As was detailed later on in the article IT experts were trying to decode the files but as it seems they had no luck and look certain to pay the ransom.

7

Perry Francis

5. What is GP: Code? 5.1. During this chapter of my report I will be discussing GP Code and the typical issues

surrounding it. To start off with I will be giving a brief back ground on the virus and its origins “GP code virus was first encountered in Russia in December 2004” (Emm,2008) and ever since then GP code has been brought out most years since then and every time a solution was found another strand to the virus was found.

5.2. What GP Code is it is a more powerful strand of Ransomware but uses a complex encryption algorithm and standard, “It uses encryption in the form of AES with an RSA key to lock the files on your computer” (Wattanajantra, 2011) This makes it a lot more difficult for the user to get there files back as the RSA key is normally kept with the attacker and they won’t give the key up until money is transferred to them. The way that this virus asks for its money also differs from the normal trends of Ransomware payment as “Instead of telling you to wire transfer money, it tells you to use prepaid credit cards, transferring the money that way.” (Wattanajantra, 2011)

5.3. Details about encryption it uses AES and RSA

The two types of encryption that is used with GP Code as I have stated in the last paragraph is AES and RSA, within this part of my report I will be explaining both types of encryption.

AES standard encryption The AES standard also known as “Advanced Encryption Standard replaced the Data Encryption Standard (DES) as the symmetric encryption algorithm standard.”(Kaijie Wu, Kuznetsov, & Goessel, 2004) AES is a type of symmetric cryptography which means “its key is shared between the sender and the receiver which is kept secret from the intruder” (Abdullah Al Hasib, 2008) this will keep whatever AES is protecting confidential from anyone the sender doesn’t want to access it and if the. This means the programmer of the GP Code can hold their files to ransom and when they give the money to the person behind the attack the person can give the victim the key.

RSA Key

The abbreviation RSA which comes stands for its inventors “Ronald Rivest, Adi Shamir, and Len Adleman.” (Abdullah Al Hasib, 2008) This part of the GP Code virus is what an asymmetric type of cryptography which means “uses a pair of keys to encrypt and decrypt message. One of these two keys is known as public key as it is distributed to others and the other is called private key which is kept secret.” (Abdullah Al Hasib, 2008) What this means is that two separate keys, in the case of the GP Code this will mean the virus will be using one key to encrypt the file with a password and another one with the password. But the RSA key is not as good as it seems as the algorithm can be broken by “Brute for Mathematical attacks, Timing attacks and Chosen Ciphertext attacks.” (Abdullah Al Hasib, 2008) RSA is mainly broken if someone uses a short password instead of a long password.

8

Perry Francis

5.4. Solutions to this virus

I have now explained what exactly is GP Code and its origins, the two types of encryption it uses and now I’m going to explain the solutions that have be devised to stop this type of virus, one of the ways that has been used as a solution has been to get signature for the virus and add it to antivirus databases which acts as a type of hash table, but this will not always work as GP Code might not always go by the same name.

6. Reflection of Topic (250)So having now completed my investigation I will now be reflecting on the decisions I made during my investigation and also issues that are related to the topic I have chosen, also I will be discussing the topic and the approach I have made towards investigating Ransomware and a specific type of Ransomware GP Code.

The reasons I chose to write a report about this topic because Ransomware is a growing danger in the Cyber world and in businesses and they need to be aware of this problem as it can cost them a lot of money and valuable information. The reasons behind my approach by describing GP Code in depth is because it is one of the most recent types of Ransomware much teaching is need for companies to combat this virus. Also a reason behind this was because of the types of encryption it was using, AES and RSA as these two keys are both current in the world of cryptography.

The issues I would like to highlight from my investigation that I feel may cause a lot of problems is the solutions to GP Code. As I have previously explained the main way GP Code can be removed is by getting the signature and putting it into anti-virus databases. The issue with this is what if the programmers of GP Code decide to change the signature of the virus it will then manage to evade anti-virus walls.

7. Discussion of Social and Ethical issuesWithin this chapter I will be discussing the social, ethical issues and any relevant standards to do with Ransomware. The thing that I found that raises ethical issues is holding peoples files to ransom as this is something that you would not do in any social group. The case example of the Australian Medical centre also highlights both ethical and social issues as holding a hospital to ransom and demanding large sums of money from them would not be acceptable in any social circle as it is both illegal and not looked upon in good stead to the public. A social issue I have also found with Ransomware is when the virus is put on the victims computer the message can sometimes say that they are the FBI or police and also have a message accusing the victim of going on illegal pornography, this would be socially wrong because you

9

Perry Francis

wouldn’t just go up to someone and accuse them of looking at illegal pornography, it would cause anyone who was accused to grimace. Another issue I found with this is that the attacker sometimes acts as the police or FBI this is also very ethically wrong as it is against the law to impersonate an Federer officer and also makes the victim more likely to pay if they think that it’s the police telling them they have been seen on the computer doing illegal activities, even if they haven’t!.

The standard that is relevant to this report on Ransomware would be the standard ISO/IEC 17799:2005 in which is the code of practice for information security management. The way this standard is relevant to Ransomware especially in businesses is because it gives businesses guidelines in how to implement their own security standards for their systems, this will in turn help their employees deal with Ransomware if they come across any.

8. Conclusion So in conclusion after writing my report of my recent research into the businesses security topic Ransom Trojan malware I found that it had been having a very negative affect on business’s especially the particular piece of GP code I have evaluated which I found had been affecting businesses for a long time, not only recently. During this report I have evaluated what exactly Ransomware is and the way it has been affecting businesses. I have also included a real life case of Ransomware at work as shown in Appendix 2, which shows just what Ransomware can do once in the system. I have also found that there is a trend that runs in all types of Ransomware and that Is that they all encrypt the victims files and ask for money, one of the changing things about this trend seems to be as the years go on the virus seems to ask for more money. I have also including a chapter explaining GP Code and what the two encryption keys are involved in this virus.

10

Perry Francis

9. AppendixAppendix 1: Typical Ransomware attack and Function methodologies………………………..5

Appendix 2: Real life case involving Ransomware in an Australian medical centre …..7

10.Works Cited

11

Perry Francis

Abdullah Al Hasib, A. A. (2008). A Comparitive Study of the Performance and Secuirty Issues of AES and RSA Cryptography. Third 2008 International Conference on Convergence and Hybrid Information Technology, (pp. 505-510). Helsinki.

Donohue, B. (2012, 12 21). Ransomware Extortion Scam Locks Machines, Demands Payment. Retrieved from threat post: http://threatpost.com/ransomware-extortion-scam-locks-machines-demands-payment-122112/

Edd, S. (2004). Malware Fighting Malicious Code. New Jersey: Prentice Hall.

Emm, D. (2008, September). Computer Fraud & Secuirty, Volume 2008, Issue 9. Cracking the code: the history of Gpcode, pp. 15-17.

Gibson, D. (2011). Comparing Malware. Microsoft Windows Secuirity Essentials, 23.

Jawahar, N. (2012, December 19). Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’. Retrieved from McAfee: http://blogs.mcafee.com/mcafee-labs/trojan-locks-computers-demands-ransom-for-bogus-offense

Kaijie Wu, R., Kuznetsov, G., & Goessel, M. (2004). Low cost concurrent error detection for advanced encryption standard. Test Conference, 2004. Proceeding. ITC 2004. International, (pp. 1242-1248). New York.

Liao, D. X. (2007). Awareness Education as the Key to Ransomware Prevention. Information Systems Secuirity, 195-202.

Robert Bauchle, F. H. (2006, July). Search Security. Retrieved from Search Secuirty: http://searchsecurity.techtarget.com/definition/encryption

Wattanajantra, A. (2011, April 12). Ransom Trojan takes PC files hostage using unbreakable encryption. Retrieved from the Inquirer: http://www.theinquirer.net/inquirer/news/2042812/ransom-trojan-takes-pc-files-hostage-unbreakable-encryption

Wood, D. (2012, 12 10). Patient records held to ransom in Australlia. (A. News, Interviewer)

12