Kaspersky: Ransomware is key threat

Russian antivirus expert Eugene Kaspersky believes cybercriminals are losing interest in launching DDoS attacks at big businesses, and want to take your data hostage instead
Written by Graeme Wearden, Contributor on

Online criminals are turning away from threatening companies with massive cyberattacks in favour of encrypting a victim's data and demanding money to release it, an antivirus expert claimed on Tuesday.

Eugene Kaspersky, head of antivirus research at Russia's Kaspersky Labs, told the RSA Conference in San Francisco that the use of so-called "ransomware Trojans" is a key trend for 2007.

This malware infects a PC, encrypts some data, and then displays an alert telling the victim to send money to get the decryption key needed to access their data again. Such malware isn't new. Early examples include Cryzip, discovered in March 2006, and GPCode, discovered in May 2005.

Cryzip and GPCode didn't cause massive damage, but Kaspersky believes that cybercriminals will refine their use of ransomware Trojans this year. The final version of GPCode used a 660-bit encryption key, which should have taken a single powerful PC around 30 years to crack, but was actually broken quickly by Kaspersky Labs, he said.

"We cracked it in 10 minutes, because this guy did not read the cryptographic book until the end," explained Kaspersky. "But if he does get to the end, antivirus vendors will not be able to decrypt and recover your data without help."

Kaspersky also told the conference that distributed denial of service (DDoS) attacks — where a company's servers are bombarded with data in an attempt to drive it offline — are declining. This is partly because better filtering technologies have been developed, which can strip out DDoS traffic before it reaches a corporate server. Another factor is the arrest of several people accused of extorting money from companies by launching a DDoS attack and demanding payment in exchange for stopping the attack.

"This is a dangerous kind of criminal activity, because the attack takes place before the money is transferred," said Kaspersky, explaining that victims of DDoS attacks have the opportunity to get the police involved before paying a ransom. One audience member pointed out that someone who falls victim to a ransomware Trojan could also get the the police involved. However, Kaspersky responded that the police might not be very interested, as the ransom might only be $20 or $30.

Several UK online betting firms, including Betfair, were targeted with DDoS attacks in the summer of 2004. Later that year, nine Russian citizens were arrested over their alleged involvement in the crimes, and three were later sentenced to eight years' imprisonment. However, the two suspected ringleaders are still at large.

Kaspersky is concerned that law enforcement is struggling to catch internet criminals. "In 2004 there were around 100 arrests of suspected cybercriminals. In 2005 there were around 400, but last year there were just 100. It seems that the stupid guys are being jailed, but the clever ones are still operating," he said.

Editorial standards