|This article is part of a series on|
Cryptovirology is a field that studies how to use cryptography to design powerful malicious software. The field was born with the observation that public-key cryptography can be used to break the symmetry between what an antivirus analyst sees regarding malware and what the attacker sees. The antivirus analyst sees a public key contained in the malware whereas the attacker sees the public key contained in the malware as well as the corresponding private key (outside the malware) since the attacker created the key pair for the attack. The public key allows the malware to perform trapdoor one-way operations on the victim's computer that only the attacker can undo.
The first attack that was identified by Adam L. Young and Moti Yung in the field is called "cryptoviral extortion" and it was presented at the 1996 IEEE Security & Privacy conference. In this attack a cryptovirus, cryptoworm, or cryptotrojan contains the public key of the attacker and hybrid encrypts the victim's files. The malware prompts the user to send the asymmetric ciphertext to the attacker who will decipher it and return the symmetric decryption key it contains for a fee. The victim needs the symmetric key to get the files back if there are no backups of them. Many years later the media relabeled this attack as ransomware. In 2016 cryptovirology attacks on healthcare providers reached epidemic levels prompting the U.S. Department of Health and Human Services to issue a Fact Sheet on Ransomware and HIPAA. The fact sheet states that when electronic protected health information is encrypted by ransomware a breach has occurred and the attack therefore constitutes a disclosure that is not permitted under HIPAA. The rationale being that an adversary has taken control of the information. This expansion of the term "breach" to account for cryptoviral extortion is monumental since now a "breach" can happen even when sensitive data never leaves the victim organization. California enacted a law that defines the introduction of ransomware into a computer system with the intent of extortion as being against the law. This is SB-1137 that amends Section 523 of the Penal Code.
The field also encompasses covert malware attacks in which the attacker securely steals private information such as symmetric keys, private keys, PRNG state, and the victim's data. Examples of such covert attacks are asymmetric backdoors. An asymmetric backdoor is a backdoor (e.g., in a cryptosystem) that can be used only by the attacker, even after it is found. This contrasts with the traditional backdoor that is symmetric, i.e., anyone that finds it can use it. Kleptography, a subfield of cryptovirology, is the study of asymmetric back doors in key generation algorithms, digital signature algorithms, key exchanges, pseudorandom number generators, encryption algorithms, and other cryptographic algorithms. The NIST Dual EC DRBG random bit generator has an asymmetric backdoor in it. The EC-DRBG algorithm utilizes the discrete-log kleptogram from Kleptography which by definition makes the EC-DRBG a cryptotrojan. Like ransomware, the EC-DRBG cryptotrojan contains and uses the attacker's public key to attack the host system. A highly respected cryptographer, Ari Juels, indicated that NSA effectively orchestrated a kleptographic attack on users of the Dual EC DRBG pseudorandom number generation algorithm and that, although security professionals and developers have been testing and implementing kleptographic attacks since 1996, "you would be hard-pressed to find one in actual use until now". Due to public outcry of this cryptovirology attack, NIST rescinded the EC-DRBG algorithm from the NIST SP 800-90 standard.
Covert information leakage attacks carried out by cryptoviruses, cryptotrojans, and cryptoworms that, by definition, contain and use the public key of the attacker is a major theme in cryptovirology. In "deniable password snatching" by Young and Yung IEEE S&P 1997, a cryptovirus installs a cryptotrojan that asymmetrically encrypts host data and covertly broadcasts it. This makes it available to everyone, noticeable by no one (except the attacker), and only decipherable by the attacker. An attacker caught installing the cryptotrojan claims to be a virus victim. An attacker observed receiving the covert asymmetric broadcast is one of thousands if not millions of receivers and exhibits no identifying information whatsoever. The cryptovirology attack achieves "end-to-end deniability". It is a covert asymmetric broadcast of the victim's data. Cryptovirology also encompasses the use of private information retrieval to allow cryptoviruses to search for and steal host data without revealing the data searched for even when the cryptotrojan is under constant surveillance. By definition such a cryptovirus carries within its own coding sequence the query of the attacker and the necessary PIR logic to apply the query to host systems.
There has been a long-standing misconception that cryptovirology is mostly about extortion attacks (overt attacks). In fact, the vast majority of cryptovirology attacks are covert in nature. This misconception began to fade in 2013 after whistleblowing revealed that the Dual EC DRBG is a cryptovirology attack that covertly leaks the internal state of the pseudorandom number generator.
Cryptovirology was born in academia. It is an investigation into how modern cryptographic paradigms and tools can be used to strengthen, improve, and develop new malicious software (malware) attacks. Cryptovirology extends beyond finding protocol failures and design vulnerabilities. It is a forward-engineering discipline that can be used for attacking rather than defending.
A "questionable encryption scheme", which was introduced by Young and Yung, is an attack tool in cryptovirology. Informally speaking, a questionable encryption scheme is a public key cryptosystem (3-tuple of algorithms) with two supplementary algorithms, forming a 5-tuple of algorithms. It includes a deliberately bogus yet carefully designed key pair generation algorithm that produces a "fake" public key. The corresponding private key (witness of non-encryption) cannot be used to decipher data "encrypted" using the fake public key. By supplying the key pair to an efficient verification predicate (the 5th algorithm in the 5-tuple) it is proven whether the public key is real or fake. When the public key is fake, it follows that no one can decipher data "enciphered" using the fake public key. A questionable encryption scheme has the property that real public keys are computationally indistinguishable from fake public keys when the private key is not available. The private key forms a poly-sized witness of decipherability or indecipherability, whichever may be the case.
An application of a questionable encryption scheme is a trojan that gathers plaintext from the host, "encrypts" it using the trojan's own public key (which may be real or fake), and then exfiltrates the resulting "ciphertext". In this attack it is thoroughly intractable to prove that data theft has occurred. This holds even when all core dumps of the trojan and all the information that it broadcasts is entered into evidence. An analyst that jumps to the conclusion that the trojan "encrypts" data risks being proven wrong by the malware author (e.g., anonymously).
When the public key is fake, the attacker gets no plaintext from the trojan. So what's the use? A spoofing attack is possible in which some trojans are released that use real public keys and steal data and some trojans are released that use fake public keys and do not steal data. Many months after the trojans are discovered and analyzed, the attacker anonymously posts the witnesses of non-encryption for the fake public keys. This proves that those trojans never in fact exfiltrated data. This casts doubt on the true nature of future strains of malware that contain such "public keys", since the keys could be real or fake. This attack implies a fundamental limitation on proving data theft.
There are many other attacks in the field of cryptovirology that are not mentioned here.
Examples of viruses with cryptography and ransom capabilities
While viruses in the wild have used cryptography in the past, the only purpose of such usage of cryptography was to avoid detection by antivirus software. For example, the tremor virus used polymorphism as a defensive technique in an attempt to avoid detection by anti-virus software. Though cryptography does assist in such cases to enhance the longevity of a virus, the capabilities of cryptography are not used in the payload. The One-half virus was amongst the first viruses known to have encrypted affected files. However, the One_half virus was not ransomware, that is it did not demand any ransom for decrypting the files that it has encrypted. It also did not use public key cryptography. An example of a virus that informs the owner of the infected machine to pay a ransom is the virus nicknamed Tro_Ransom.A. This virus asks the owner of the infected machine to send $10.99 to a given account through Western Union.
Virus.Win32.Gpcode.ag is a classic cryptovirus. This virus partially uses a version of 660-bit RSA and encrypts files with many different extensions. It instructs the owner of the machine to email a given mail ID if the owner desires the decryptor. If contacted by email, the user will be asked to pay a certain amount as ransom in return for the decryptor.
Creation of cryptoviruses
To successfully write a cryptovirus, a thorough knowledge of the various cryptographic primitives such as random number generators, proper recommended cipher text chaining modes etc. are necessary. Wrong choices can lead to poor cryptographic strength. So, usage of preexisting routines would be ideal. Microsoft's Cryptographic API (CAPI), is a possible tool for the same. It has been demonstrated that using just 8 different calls to this API, a cryptovirus can satisfy all its encryption needs.
Other uses of cryptography-enabled malware
Apart from cryptoviral extortion, there are other potential uses of cryptoviruses. They are used in deniable password snatching, used with cryptocounters, used with private information retrieval and used in secure communication between different instances of a distributed cryptovirus.
- A. Young, M. Yung. "Cryptovirology: Extortion-Based Security Threats and Countermeasures". IEEE Symposium on Security & Privacy, May 6–8, 1996. pp. 129–141. IEEEExplore: Cryptovirology: extortion-based security threats and countermeasures
- "FACT SHEET: Ransomware and HIPAA" (PDF). HHS. Retrieved 22 July 2016.
- Larry Greenemeier (18 September 2013). "NSA Efforts to Evade Encryption Technology Damaged U.S. Cryptography Standard". Scientific American.
- "NIST Removes Cryptography Algorithm from Random Number Generator Recommendations". National Institute of Standards and Technology. 21 April 2014.
- A. Young, M. Yung (2004). Malicious Cryptography: Exposing Cryptovirology. Wiley. ISBN 0-7645-4975-8.
- Young, Adam; Yung, Moti (2006). "Cryptovirology FAQ". Retrieved July 3, 2015.
- F-Secure virus descriptions: Tremor
- Symantec security response: One_Half
- Sophos security analyses: Troj_Ransom.A
- Viruslist: Virus.Win32.Gpcode.ag
- A. Young. "Cryptoviral Extortion Using Microsoft's Crypto API". International Journal of Information Security, Volume 5, Issue 2, April 2006. pp. 67–76. SpringerLink: Cryptoviral extortion using Microsoft's Crypto API
- Cryptovirology Labs - site maintained by Adam Young and Moti Yung
- Cryptography and cryptovirology articles at VX Heavens
- Cryzip Trojan Encrypts Files, Demands Ransom
- Can a virus lead an enterprise to court?
- A student report entitled Superworms and Cryptovirology
- Next Virus Generation: an Overview (cryptoviruses) by Angelo P. E. Rosiello