The ransomware strikes back

Ciprian Oprisa Bitdefender
George Cabau Bitdefender
Andrea Takacs Bitdefender

  download slides (PDF)

It has been 24 years since the PC Cyborg trojan used to scramble file names and ask for a ransom in return for restoring them. Since then, cybercriminal minds have engineered new methods for financial revenue. This paper presents the evolution of ransomware and the methods used.

An analysis of over 2,000 samples, collected over the course of more than two years, shows that this is a serious threat for everyone. The analysis also shows a tendency to re-use the same techniques over and over, because they still work.

Some of the most popular ransomware will lock the user's screen and demand a fee for unlocking it. This technique also uses some social engineering tricks like pretending to be the 'Internet Police' and fining the user for improper usage of his computer.

We also analysed more dangerous malware that perform encryption on the user's personal files. Although some of them use strong cryptographic algorithms (e.g. AES-256) we will show some of the mistakes that the authors have made. These mistakes allow us to decrypt the files without paying the ransom. There are also samples that properly use cryptography, making decryption almost impossible. We will see how cryptography is a powerful weapon, but that it can point both ways.

As a conclusion, this paper tries to make users aware of the necessity of data backup as a good way to fight in this kind of situation.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.