January 8, 2014
Experts Warn Of Next Generation Of Ransomware
redOrbit Staff & Wire Reports - Your Universe Online
The news was disclosed last Friday in a blog post by a volunteer group of anti-malware security researchers known as Malware Must Die (MMD), who discovered the threat while monitoring chatter on underground hacker forums that revealed the malware's purported features and functionality.
"Malware bad actors just keep on coding and developing new threats with the stupid dream to get rich soon in their stupid heads," MMD said in their blog post. The group published a series of screen shots of several forum messages describing the malware's alleged features at various stages of completion, as well as its planned price.
In a December 19 posting to Pastebin, PowerLocker's developer, who wrote under the name "gyx," said his malware used the Blowfish symmetric-key block cipher to encrypt all personal data stored on a PC, and then encrypted those ciphers using 2048-bit RSA encryption.
"A unique BlowFish key is generated for each file. That BlowFish key is then encrypted with an RSA key specific to the PC, then the RSA block is stored with the file to be decrypted later," read the post.
Other PowerLocker features described include a customizable time period before the bot uninstalls itself, the ability to tailor the name and location of the malware file dropped during the infection, and the amount of money demanded by the ransomware before the data will be decrypted. Cyber attackers would be able to receive related payments via Bitcoin, Ukash and Paysafe.
"The bot has an HTTP panel which will be used to control slaves and receive payment codes entered by slaves," wrote the developer. "You can either approve or deny - resetting the removal clock duration, specified by you during purchase - a payment code, and then the unlock/decrypt files on the PC - identified by its IP."
According to the blog post, the advertised listed price of PowerLocker is $100, payable in bitcoins. Future “rebuilds,” or upgrades, will be available for $25, while an innocent looking "ghost panel” that can be used to disguise the underlying malware will sell for $20.
MMD said its decision to go public with the intelligence it has gathered on PowerLocker and its developer was not an attempt to instill ransomware fear, uncertainty and doubt. Rather, the group hopes that law enforcement agencies and national computer emergency response teams will initiate investigations to stop PowerLocker before it causes any damage.
If released, PowerLocker will “be more [of a] headache for researchers, industry and law enforcement agencies," the group cautioned. "So ... we decided to disclose it."
Bogdan Botezatu, a senior e-threat analyst at antivirus firm Bitdefender, told InfoWorld that the new PowerLocker malware program adds extra layers of sophistication to a family of threats that is already hard to combat.
"From the malware's description, it looks like its creator has blended CryptoLocker with the FBI ransomware [ransomware impersonating the FBI and other law enforcement agencies] to create a two-layer lock: the desktop lock and the file encryption,” he said.
Another important difference between CryptoLocker and PowerLocker is that PowerLocker will apparently be sold as a bundle to other cybercriminals.
"While CryptoLocker was tailor-made for a select group of individuals, the PowerLocker as they call it is a tool that would be available for purchase, thus making any script-kiddie a potential attacker," he said. "If it is real, we expect it to hit really hard."
Botezatu said he expects similar malware programs to be developed and used in 2014.
"Trojans like GPcode have set the standard for commercial ransomware, while the ROI [return on investment] rates of the FBI Trojan and CryptoLocker have probably incentivized other cybercriminal groups into joining the ransomware pack," he said.
"Ransomware is easy money and that's what cybercriminals are after."
Indeed, law enforcement agencies have been overwhelmed by complaints about ransomware, as well as confessions from victims who have paid to retrieve their data.
Most current malware exploits vulnerabilities in popular software programs like Java, Flash Player and others, and experts say it is critical that people routinely update their applications to prevent infection with ransomware and other threats. Regularly backing up important data to a different computer is also important to recovering files in case of ransomware infection.