Feeds

Ransomware author tracked down, but not nicked

Is Russia soft on cybercrime?

5 things you didn’t know about cloud backup

The Russian VXer who created the infamous Gpcode ransomware Trojan has been identified - but an early arrest isn't likely.

With cybercrime way down the priority list in Russia, the malware author - known to the police after security firm Kaspersky Labs winkled out a likely IP number for him - is liable to remain at large for some time.

The malicious code for which the suspect is wanted first materialised two years ago. Variants of Gpcode encrypt user files (word documents, spreadsheets, images and the like) on infected PCs using an encryption algorithm. Once the malware scrambles files, it is programmed to generate a text message in directories taunting victims that they need to pay for a "decryption utility" in order to see their files again. The scam attempts to extort between $100-200 from victims, typically payable through an e-gold account.

Since the Trojan's first appearance, variants of Gpcode have used progressively stronger encryption, culminating in a 1024-bit RSA key variant. It spurred the launch of a controversial code-cracking challenge by Russian security firm Kaspersky Labs back in June.

Brute force attacks against data scrambled using encryption of such strength are impractical, so the best advice is the twin track approach of backing up sensitive data and taking steps to avoid getting infected in the first place. Earlier versions of the malware, by contrast, have used custom encryption utilities that could be broken or made cryptographic errors that allowed at recovery of some (if not most) scrambled files. For example, one variant simply deleted user files.

Kaspersky Labs was recently contacted by someone claiming to offer a decryption tool for the latest variant of the malware, Techworld reports. This tool turned out to be genuine, establishing that the scammer had access to the master keys used by the malware. This, in turn, prompted Kaspersky analysts to search for the IP address of the author.

Although he used compromised machines and proxies, enough circumstantial evidence was obtained in order to pin down a probable suspect in Russia. Techworld reports that no action has been taken as yet.

Nobody from Kaspersky familiar with the investigation into the author of Gpcode was available for immediate comment. It may well be that they are over in Ottawa, Canada for the annual Virus Bulletin conference this week.

Safe haven for cybercrims?

Political relations between the West and Russia have deteriorated over recent times, particularly since the armed conflict between Georgia and Russia back in August. Our understanding, speaking to security experts at the likes of Kaspersky and iDefense, is that cybercrime which targets Westerners is tolerated by the authorities. It's certainly not treated as much of a law enforcement priority.

The notorious cybercrime hosting outfit Russian Business Network (RBN), for example, was brought down via pressure from ISPs, not law enforcement action.

Rick Howard, director of intelligence at iDefense, the security analysis arm of VeriSign, explained: "RBN is defunct in its old form. It withered under pressure and was unable to find people prepared to give it upstream links to the internet.

"The group had political connections in Russia and didn't feel the need to hide themselves, which proved their undoing - but we're not naive enough to think they went away."

Whether the RBN itself - or just its clients - was doing anything wrong under Russian law is perhaps open to debate, if you're feeling charitable. Other groups, such as Klik Revenue, a Russian-based outfit that allegedly pushes rogue anti-spyware apps, are able to operate without hassle from the cops suggesting a lack of enforcement action on cybercrime may be a general problem in Russia not confined to the Gpcode case.

On the other hand, Russian FSB officers managed to find and arrest the authors of the notorious 'Pinch' Trojans back in December 2007, so perhaps we're unfairly maligning Russia's hardworking cybercops. Going further back, the FSB co-operated with the former NHTCU to arrest and prosecute hackers suspected of blackmailing online bookies with denial of service attacks.

Our understanding, talking to security experts, is that the Russian constitution make no provision for extradition. So even if the Gpcode varmint is caught, he's very unlikely to face the inconvenience of a prosecution outside Russia.

More on the hunt for the miscreant or miscreants behind the malware can be found via Techworld here. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.