Ransomware: a bit of history. The dark side of cryptology

(To Alessandro Rugolo)
20/01/20

For some time now we have heard of ransomware: one of the best known attacks, perhaps because it consists of putting your hands directly in the wallet of those who are victims of it.

"Ransomware", in cyberspace, is synonymous with kidnapping for redemption purposes in the real world. And everyone understands this: it doesn't matter if our data is kidnapped and not a relative, friend or acquaintance, the fear of being hit by a ransomware it is at least the same as that of a "kidnapping".

Many companies are affected ransomware in recent years, we have already talked about some, we will never hear of others because, as often happens, to the fear of being hit by the ransomware, in real case, it follows that of losing face (especially when a company is hit, perhaps in the world of TLC or Defense or even worse, of cyber security!). For some companies, in fact, the biggest damage is not the payment of the ransom to get back their data but the fact that the thing becomes public and that the company's reputation is affected.

Yet despite the fact that we often talk about ransomware not many are those who know what it consists of and even fewer are those who know the history of this type of attack, at least the official one, public.

So let's try to clarify a bit, moving in time and space to go to an American university, Columbia University, one of the best known and most important private universities in the world.

We are in New York. In particular, we have to go back in time until the autumn of 1995. At that time a student named Adam Young, passionate about the study of viruses, attended a computer security course by Professor Matt Blaze, one of the most famous cryptologists, researcher and faculty part of the board of the TOR project. Among his lessons, it seems that one of the most interesting (at least for our Adam Young) was the one on the cipher known by the name of Tiny Encryption Algorithm (TEA), an encryption algorithm designed to be secure, fast and small in size. This algorithm was therefore created to improve security, speeding up the encryption process. Adam Young thought it might be interesting to study how such an algorithm could be used differently, in fact he put himself in the shoes of a hacker.

How could the TEA algorithm be used to make an attack such as the "One-half virus" even more dangerous?

One-half virus is a virus discovered in 1994 that encrypts the contents of the infected hard disk. It is a polymorphic virus, that is, it modifies itself with each infection to make its recognition more difficult. Unfortunately, for an attacker, a virus of this type has a defect: once discovered, it can be observed and studied.

In practice, the way the virus is viewed is identical for the defender and the attacker. The reflections on the topic led Young to consider that if it had been possible to change the way of seeing things, in practice to make the system asymmetrical, then the attack could have been much more dangerous since the analyst would not have had the opportunity to study the virus .

The terms symmetry and asymmetry are often used in cryptography. One of the best-known encryption systems today consists precisely in the use of asymmetric encryption, based on the use of two encryption keys, called "public key" and "private key".

The use of a two-key system to potentiate a virus had never been explored and this was precisely what Young did. But it was an idea that had to be studied well and to do so he obtained the support of the university which, thanks to Professor Moti Yung, offered him the opportunity to develop his thesis.

Adam Young and Moti Yung created the first cryptovirus (ie a virus that contains and uses a public key), in this way the hacker could encrypt a victim's data and ask for a ransom to "free" them. Purchase that usually has a lower cost than the possible recourse to a security company.

The thesis was discussed and the results were also presented at the IEEE Symposium on Security and Privacy conference on 6-8 May 1996 with a speech entitled: "Cryptovirology: extorsion-based security threats and countermeasures. In particular this ransomware belongs to the category of cryptolocker.

To conclude, a simple observation on ransomware: although risen to the headlines in recent years they have their place in scientific history, are documented and studied at universities and, above all, are now 23 years old, a more than respectable age in the ultra-fast world of information technology. .. yet still continue to do damage!

To learn more:
- Exposing cryptovirology, Adam Young, Moti Yung, Wiley publishing, 2004
- https://www.iacr.org/jofc/
- http://www.tayloredge.com/reference/Mathematics/TEA-XTEA.pdf
- https://www.f-secure.com/v-descs/one_half.shtml
- https://ieeexplore.ieee.org/document/502676
- https://www.difesaonline.it/evidenza/cyber/fine-anno-da-brividi-nel-cybe...
- https://www.difesaonline.it/evidenza/cyber/satori-il-risveglio-delle-bot...