Monday, June 16, 2008

Let’s crack RSA! Yoo-hoo!

Ransomware is a known type of malware that is a clear demonstration of how pathetic the scriptkids become sometimes in an attempt to make a few bucks (for an ice cream?).

On the other hand, a fresh sample of ransomware gives AV vendors a unique opportunity to spin an interesting and flashy story, as general public is probably too tired of constant “mobile threats” or “invisible rootkits”.

This time, however, it sounds like the drama around Gpcode.ak went too far with the new initiative to join the world’s best minds in an attempt to "crack" the RSA encryption algorithm with a 1024-bit key and finally decrypt the files encrypted with Gpcode.ak.

This initiative sounds a bit awkward considering the ratio between the malware forces and the number of analysts who combat them. It completely ignores the fact how easy it is to release Gpcode.al, Gpcode.am, etc. etc. where slight tweaks in the code would render developed decrypting solutions useless.

To put it simpler – by stripping off RSA encryption completely, a new variant of Gpcode might firstly delete the files, then lock machine asking for ransom to be paid before the deleted files are permanently wiped out from the hard disk. Any attempt to "mess" with it (power off, terminate process), and the files are gone forever. In this case scenario, all the efforts to recover the damage from one particular variant ("ak") would turn to be a huge (unaffordable) waste of time.

It all rather boils down to another initiative – to be a bit more practical.

A good sobering reminder about the current situation in AV industry is the following picture:



Image Copyright: IKARUS