Ransomware claims to encrypt your data with RSA-4096

July 21, 2007

Antivirus vendors are reporting a new virus that once it has infected your computer, proceeds to encrypt your files (making them impossible to open) and then gives you the following warning:

Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA).

You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.

To decrypt your files you need to buy our software. The price is $300.

To buy our software please contact us at: xxxxxxx@gmail.com and provide us your personal code -xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system.

If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.

However, it appears to only be bluffing about the strength of the encryption key, and instead uses a much weaker algorithm that Kaspersky Lab claims to be able to decrypt. Furthermore, this particular strain appears to only encrypt user files if the system date is between the 10th to 15th of July. It is also interesting to note that the virus authors tell you that you will need "at least a few years to decrypt these files" when RSA-4096 is deemed to be unbreakable in the foreseeable future, when RSA-1024 has yet to be broken, and the largest proper RSA number yet broken was a 200-digit "non-special" number whose two prime factors were identified in 2005 after 18 months of calculations that used over a half century of computer time. The 1024-bit numbers used in RSA encryption are around 100 orders of magnitude bigger than this. (source)

It is probably obvious to say that we can expect to start seeing ransomware in the near future using significantly more complex encryption algorithms that are not so easy (if not impossible) to break.

Additional information about this malware can be found here on PandaLabs website.

If you have been affected by this malware, Kaspersky Lab offers a free utility to decrypt your files.