Ransomware on the rise, warns Kaspersky

Online criminals are turning away from threatening companies with massive cyber attacks in favour of encrypting a victim's data and demanding money to release it, an antivirus expert has claimed.

Eugene Kaspersky, head of antivirus research at Russia's Kaspersky Labs, told the RSA Conference in San Francisco the use of so-called "ransomware Trojans" is a key trend for 2007.

This malware infects a PC, encrypts some data, and then displays an alert telling the victim to send money to get the decryption key needed to access their data again. Such malware isn't new. Early examples include Cryzip, discovered in March 2006, and GPCode, discovered in May 2005.

Cryzip and GPCode didn't cause massive damage but Kaspersky believes cyber criminals will refine their use of ransomware Trojans this year. The final version of GPCode used a 660-bit encryption key, which should have taken a single powerful PC around 30 years to crack but was actually broken quickly by Kaspersky Labs, he said.

Kaspersky explained: "We cracked it in 10 minutes, because this guy did not read the cryptographic book until the end. But if he does get to the end, antivirus vendors will not be able to decrypt and recover your data without help."

He also told the conference that distributed denial of service (DDoS) attacks - where a company's servers are bombarded with data in an attempt to drive it offline - are declining. This is partly because better filtering technologies have been developed, which can strip out DDoS traffic before it reaches a corporate server. Another factor is the arrest of several people accused of extorting money from companies by launching a DDoS attack and demanding payment in exchange for stopping the attack.

Kaspersky said: "This is a dangerous kind of criminal activity, because the attack takes place before the money is transferred," explaining that victims of DDoS attacks have the opportunity to get the police involved before paying a ransom. One audience member pointed out that someone who falls victim to a ransomware Trojan could also get the police involved. However, Kaspersky said the police might not be very interested, as the ransom might only be $20 or $30.

Several UK online betting companies, including Betfair, were targeted with DDoS attacks in the summer of 2004. Later that year, nine Russian citizens were arrested over their alleged involvement in the crimes, and three were later sentenced to eight years' imprisonment. However, the two suspected ringleaders are still at large.

Kaspersky is concerned that law enforcement is struggling to catch internet criminals. "In 2004 there were around 100 arrests of suspected cyber criminals. In 2005 there were around 400 but last year there were just 100. It seems that the stupid guys are being jailed but the clever ones are still operating," he said.

Graeme Wearden writes for ZDNet UK