What should be the optimal crypto-strength for CryptoLocker?

I am in a love-hate relationship with CryptoLocker.

 

I hate it because it is a nasty piece of malware that takes victims’ data as hostage. As a person who spends most of the waking hours at the keyboard, the data on my computer is priceless to me. I have been through several data losses from hard-drive failures, and the impact is just devastating. Adding insult to injury with CryptoLocker, there is a sliver of hope, that there is some untrustworthy crook holding the key to recover the “lost” data. I am not sure whether this hope is a blessing or a curse.

 

On the other hand, I have to admit that I understand why the crypto-crooks are using industrial-grade asymmetric cryptography. Asymmetric cryptography fits the bill perfectly by eliminating storage management and bandwidth costs, and even to keeping the victim’s data private by not moving it out onto some unknown cloud drop zone, where there is no guarantee that the data won’t be used for secondary purpose. 

 

So, here is an uncomfortable thought: Could it be made better?! And to whose benefit?

 

 

 

CryptoLocker: The basics

 

 

ransomnote.png

 

In concept, CryptoLocker is a rather simple and old-fashioned type of criminal activity: an extortion or ransom scheme. The crooks kidnap your data, and promise to release it upon receipt of a ransom payment, usually around 300 USD or EURO. CryptoLocker and its ilk differ from botnets or banking Trojans, which engage in theft rather than extortion. CryptoLocker is an extortion scheme, that victims are affected on numerous levels:

 

  • Monetary loss is possible. (Overall, this is usually the least of the problems.)
  • Months and even years’ worth of work documents and/or family photos could be at stake.
  • As with any ransom case, the daily life of victim is interrupted by the dilemma, as the victims are not sure how to deal with these crypto-crooks.

  • The victim may feel powerlessness, since recovering the data is at the mercy of crypto-crooks.

  • The victim may feel regret that they should have backed up the data more regularly.

  • If the data is not recovered, the victim will likely go through the five stages of coping with loss: denial, anger, bargaining, depression and acceptance.

 

So that we’re clear: I don’t approve of CryptoLocker. There are many other ways to make money, legally or even illegally. But, extortion should not be in that list. Regardless of how it should be or should not be, as long as this extortion scheme has a valid mechanism of making money, along with the rise of black-market-friendly currencies such as Bitcoin, these crypto-crooks are not going to stop any time soon. In the meanwhile, “just don’t pay up”, might be easy advice to give, but it would be difficult advice to follow for those who have valuable data taken as hostage.

 

Even in this mess of pure evil, there is one aspect of the crime that I appreciate as a technologist; they’re using the right kind of tools to commit their crime of choice. Let me explain, and then let me suggest how they could choose even more wisely – for the benefit of both themselves and their victims.

 

Using an analogy from physical-world kidnapping, the CryptoLocker crooks could  have exfiltrated the victim’s data out, then promise to provide the link where the victim could download the data back upon the ransom payment. There are several drawbacks to that method of moving data back and forth, regarding confidentiality, integrity and availability:

 

  • It generates large amounts of traffic on the network, which could trigger network monitors. The data could furthermore get corrupted in transit. And, even the data retrieved back cannot be fully trusted.

  • The attacker has to maintain cloud storage that, due to the size of the space necessary, would not be free.

  •  Once it left the victim’s machine, the confidentiality of the data could be breached. The attackers could not guarantee that the data hasn’t been brokered to third parties.

For these reasons, it’s best for the would-be extortionist and for the victim if the data stays on the victim's computer. Cryptography is a perfect tool for it -- especially asymmetric cryptography, where the encryption key is different from the decryption key. A wheel clamp is a good analogy, because you still have physical access to the data, but not in a form in which you can use it -- you’ll need a key from the CryptoLocker crooks to unlock the “wheel clamp.”

 

 

 

 

 

Image courtesy upload.wikimedia.org/wikipedia/commons/thumb/4/42/2009-02-26_Wheel_clamp_on_Hummer.jpg/320px-2009-02-26_Wheel_clamp_on_Hummer.jpg

 

 

CryptoLocker’s choice of a “wheel clamp” is the 2048-bit RSA cryptosystem. RSA provides some of the best cryptography that the industry has to offer, and 2048-bit is industry standard these days. There is no easy way to decrypt the data without the private key. This is a good thing because it is the same encryption standard we use for online banking and ecommerce – in other words, an all but insurmountable challenge to break. (The RSA Factoring Challenge offers a $200,000 USD prize on factoring it, and no one is close to winning.)

 

We’ve established that the CryptoLocker crooks have chosen technology that keeps victims’ data relatively safe (on their own machines) while making it next to impossible for anyone but the crooks to release the data captured as hostage. It’s sound thinking, but could they have chosen even more wisely? It’s an uncomfortable train of thought, but there might be a better way to align the interests of attackers and victims. To find it, let’s look at the economics of the CryptoLocker ransom.

 

 

 

The economics of CryptoLocker

 

The economics of ransom is different from those of the normal market economy.

 

In a normal market economy, there are multiple buyers and multiple sellers; prices are determined in large part by direct interactions between the two. Similarly, in the cyber-criminal world, there is a market price for credit card numbers, online banking passwords, and email passwords; the price is determined by supply and demand and potential profit margin, and these stolen data are brokered to different cybercriminal groups. A critical part for these cybercriminal activities depends on the victim's unawareness that their system or data have been compromised. The longer the victim does not know their confidential data has been compromised, the better it is for the attackers. Moreover, the victim is never in the position of direct interaction with the criminals. Thus, criminals have zero interest in forming a trust relationship with the victim.

 

In the ransom (extortion) scenario, there is only one buyer and one seller, with the victim in the buyer role, and the CryptoLocker crooks with the decryption key in the seller role. It is effectively a monopoly situation – a “seller’s market” -- and the seller can charge any amount he pleases. The seller even knows that the buyer wants to buy. Yet, cash is king. Since there is only one prospective buyer, it is also a “buyer’s market”.  Until the transaction is completed, the victim still holds the decision making power, and the seller must cater to the buyer's needs.

 

In the case of CryptoLocker, the victim seeks two assurances from the extortionists:

  • Is the data really safe? Since the data is still stored in the victim's hard drive, the victim can be somewhat confident that the data is not destroyed. But, the victim is still not certain he will get a functional decryption key upon payment of the ransom.

  • Is the ransom amount fixed? CryptoLocker’s demand is presented to the victim as a fixed ransom amount. However, the crypto-crooks’ ultimate goal is short-term profit maximization. The best economic strategy of the seller would be to increase the price subsequently; thus, the claim that the ransom price is fixed cannot be trusted. On the other side of the transaction, even if the victim is willing to pay the initial price, his optimal strategy is to not reveal how much he is willing to pay and to delay payment somewhat, to keep from seeming too eager to part with the first amount requested.

As you see, in order for any transaction of this nature to go through, there needs to be some sort of "trust" between the two parties. Of course, there is inherently no trust of crypto-crooks, because these people are the cause of the problem to begin with. This lack of trust and lack of true market economy causes lots of unnecessary friction and delay and abuse as the two parties walk through the decision tree described above.

 

So, game theory alone doesn’t guide us well in dealing with CryptoLocker extortion. Let’s add risk management principles to the mix. Where does that $300 figure come from, anyway? It’s interesting to see how the crypto-crooks have come up with the $300 number for the ransom amount, and 2048-bit RSA for the crypto strength.

 

In a simplistic view, there are only two possible variables in a CryptoLocker extortion attempt: ransom amount and crypto-strength. Let’s take those in order.

 

 

Ransom amount

 

The ransom ceiling – how much the victim is willing to pay to regain access to the data – is determined by how much the data is worth to the victim. It is not an easy task to measure how much personal data is worth, but having a ball park number for the perceived worth of the victim’s data would give a ceiling for the ransom payment.

 

One way to approach price-setting for data is to look at how much some of the legitimate online services charge to store the data.   

 

Name

Size

Price

Microsoft OneDrive

1TB

$60/yr

Google Drive

1TB

$120/yr

DropBox

200GB

$200/yr

Box

100GB

$60/yr

 

 

Why do users decide to pay for services such as these? When paying for backup, users are generally trying to avoid data loss. There are two main categories of data loss: hardware failure and human factors (lost, stolen, or damaged machines). Since human factors vary greatly, we will just calculate hardware failure, which is easier to predict, and extrapolate from that result.

 

For the hardware failure rate, studies show that around 2% of hard drives fail per year. SSD drives and laptop drives might have different failure rates, but it’s all in the same ballpark. As we see above, most online backup services charge about $100/year. We can plug these two numbers into a familiar formula used for insurance premiums: insurance premium = value of the data * chance of loss. Using

 

$100 per year = value of the data * 2% per year

 

puts the value of an average user’s data at around $5000 a year.

 

Therefore, if your data is worth more than $5000 to you, you should pay for online storage service, simply based on the hardware failure rate. (If your data is worth less than that, try to get the most value from the free online storage services.) If you add human factors into the increased chance of loss, then the trigger line for value of the data goes down further below $5000.

 

There are additional factors for those considering cloud storage -- the convenience of accessing your files anywhere is a benefit, while the additional risk of data leakage is a detriment (except for wise users, who encrypt their data on the client side before transferring it to the cloud!) -- but the $5000 number is a fair ballpark of how much your data is worth.

 

Now that we know that, for those who think the data is worth less than $5000, the ransom amount of $300 makes some sense. Next, let’s see how the strength of the cryptography in use affects the relationship between victim and extortionist.

 

 

Crypto-strength

 

As mentioned, CryptoLocker uses 2048-bit RSA encryption, some of the strongest available. However, given enough time and computing power, every cryptosystem can be broken. It just takes a really really long time to crack 2048-RSA – calculated to be somewhere along the line of the age of universe using a normal computer. For a ransom of $300, do they really need to use 2048-bit RSA? How would the math change if CryptoLocker’s keepers used relatively weaker 512-bit RSA encryption?

 

We can use the current Amazon EC2 price as a standard computing price to figure out just how much it would cost to crack the CryptoLocker encryption rather than pay the ransom. EMC, who manages the RSA specification, has published a cost-based security analysis of various key lengths. Using 300 machines, 400 MHz, two-month metrics for the 512-bit RSA example provided by EMC, it would take a rough estimate of ~$3000 to crack 512-bit RSA, using a 2.8GHz EC2 instance at $0.05 per core per hour.

 

What would happen if CryptoLocker’s crypto-strength were made lower and thus easier to crack? In theory, the economic model shifts from a ransom scenario of one seller and one buyer to a scenario more like that of the free market, where the crypto-crooks become the (possibly) cheaper solution provider in a market of two (or more) sellers and one buyer. Thus, passing the bare minimum requirement of being a true market.

 

Would that shift pose a serious threat to CryptoLocker’s perpetrators? Probably not. Some victims might turn to a legitimate service provider, which could try to crack the encryption using brute force, but that service is not free either, since server and electricity costs must again be factored in. Even if some government or big company can retrieve the data as a charity case, they can't solve everyone's problem, and need to prioritize the brute forcing cracking. Thus, if the crypto-crooks can adjust the crypto-strength to the “right” level, they can always undercut the competitive price. It would not affect their bottom line, and might even to increase the deal flow by forming an artificial but legitimate price point to compare against.

 

What might be the benefits of shifting to lower-strength encryption? If victims are aware of and understand that the perpetrators are in fact using the lower crypto standard, it could help to establish trust between the sides. Not engaging in crypto-overkill would allow perpetrators to signal their verifiable intent to not continue hiking ransom demands indefinitely, since the lower-strength encryption won’t hold forever. It’s strange to speak of a trust relationship between criminals and their victims, but if such is possible, especially for long-term profit maximization, this would be one way of going about it.

 

An additional advantage of using weaker crypto is that even if the criminals’ key server is taken down by police, the victims still have a way to recover their data, however slowly. Even in a criminal enterprise, you should plan for disaster recovery!

 

That sounds humorous, but in fact the idea that criminals might take responsibility for such things leads to an interesting aspect of CryptoLocker’s still-evolving legal situation. I suggest that we consider imposing punishment based on the crypto-strength used by the malware, when the crypto-crooks are caught. Linking legal implications to crypto-strength is not entirely new, as the US set a crypto-embargo limiting exported crypto strength to 40-bits in the 90s.

 

 

As I’ve shown above, the criminals behind CryptoLocker understand their technology options very well. A criminal using lower-strength encryption is taking clear precautions to make sure that the worst-case scenario consequences of his crime are far less cataclysmic than those in which the hijacked data is irretrievably trapped in too-strong encryption. It doesn’t mean the perpetrators aren’t still criminals and deeply wrong in their actions, but it does show that they showed some regard for the safety of the data they were attempting to ransom.

 

The good news is that technically, CryptoLocker is a solved problem. The industry as whole is already moving to cloud storage and thin-client infrastructure, which means the endpoint does not hold much data and is therefore less likely to be worth that $300 ransom, even to the sort of end users that don’t already back up their data regularly. In a cloud-centric world, a data loss from CryptoLocker could be easily recovered. But, we are not there yet. While we’re in transition, a clear-eyed look at CryptoLocker’s economics and crypto choices is necessary, for both victims of the malware and its perpetrators.

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.