infonews.co.nz
INDEX
TECHNOLOGY

RSA-4096 ransomware upswing

Wednesday 27 April 2016, 3:18AM

By Primo V.

652 views

Ransomware is a buzzword in the IT security domain. It denotes malicious code that extorts money for victims’ data that suddenly becomes inaccessible. The online criminals behind these campaigns are continuously refining their skills and exercising new techniques to make the attacks increasingly sophisticated.

For instance, the operators of the TeslaCrypt file-encrypting Trojan have recently begun using an extremely strong encryption standard called RSA-4096. It is a public-key cryptosystem the idea of which comes down to generating one key for encrypting data and another for the decryption task. The entropy of 4096 bits is too much to brute-force through commonplace ways, which basically means that the infected Windows users face a dilemma: to pay the ransom or lose their important files.

Not only does TeslaCrypt version 4.0 infect individual computers, but it can also contaminate business machines and propagate across large enterprise network in a matter of hours. The likely entry point is human curiosity, where the user receives an email and unknowingly executes the malicious payload by extracting an attached archive. Some known incidents have involved exploit kits that use security loopholes on one’s PC, usually outdated Java or Adobe Reader.

Having scanned the infected machine and networks shares for personal files with prevalent extensions, the malware applies RSA-4096 to encrypt the detected objects. The private RSA key is sent to the criminals’ remote C2 server. Therefore, it is nowhere to be found on the computer. The victim can obtain this key if they send about 1 BTC to the extortionists over a decryption service site accessible with the Tor browser.

Of course, no one is willing to give in to perpetrators and pay up, but sometimes that’s the only option to get the frozen files back. If there is a backup available in the cloud or on an external storage device, the user can simply remove TeslaCrypt itself and easily recover the data. If there is no backup, a few helpful techniques include the use of forensic software as well as the Volume Shadow Copy Service to recover previous file versions. Instructions: http://linkmailer.de/viren/rsa-4096