An underground programmer’s initiative to build better ransomware has some security professionals worried that the software’s popularity among cyber-criminals will continue to rise in 2014.
In December, a programmer, using the handle “gyx,” posted on Pastebin a description of a malicious software project designed to encrypt and hold hostage the data on a victim’s PC. Dubbed PrisonLocker, and later PowerLocker, the purported program encrypts files with Blowfish encryption, detects analysis environments and communicates with a custom server to exchange encryption keys.
A series of posts by the programmer describes a potentially pernicious program that would be hard to eradicate, according to screenshots posted by anti-cyber-crime group Malware Must Die.
“If released, this will be more headaches for researchers, industry and law enforcement agencies, so after internal meeting we decided to disclose it,” the group stated.
Malicious software that holds hostage valuable files on a victim’s PC has become a significant threat over the past two years, beginning with the spread of Reveton in late 2012, and then, in the latter half of 2013, with the arrival of a ransomware program known as CryptoLocker.
While Reveton merely locked the victim’s system and displayed a message purporting to be from a law enforcement agency, CryptoLocker retrieves a unique encryption key from a criminal’s command-and-control server and uses it to scramble more than 70 different types of files. To decrypt the files, the victim must pay a ransom to get the key from the criminal group.
Underground developers’ persistent efforts to create better ransomware were expected, says Harry Sverdlove, chief technology officer for security firm Bit9. CryptoLocker has proved to be a success, resulting in hundreds of thousands, if not millions, of dollars in paid ransoms, according to estimates by security researchers.
“They are learning from the successes and failures of CryptoLocker,” he said.
The posts by “Gyx” describe a program that can be customized with variable deadlines, accepting multiple payment types and allow the customization of the administration server. The programmer planned to sell the program to would-be cyber-criminals for $100.
Malware Must Die, a group of security researchers focused on investigating cyber-criminals and the programs they create, posted more than a dozen screenshots detailing various postings by the author of PowerLocker, as well as clues to the person’s identity. The screenshots were intended to spur law enforcement to act, the group stated. To date, no actual code has been seen by researchers and the program is not in the wild.
An update to the Malware Must Die’s blog post suggested that the PowerLocker author may have been taken into custody. A screenshot of a post from an underground forum indicated that the police had raided Gyx’s house, but the claims could not yet be verified.