What RSA-4096 virus is, and how it operates
This is a new trojan-ransomware infection that claims to use the higher level of encryption – RSA 4096 rather than the more widely used, RSA 2048. Although described in some places as a ‘virus’, it is not one technically, as that category of malware are self-replicating infections which this ransomware isn’t – though it is a serious threat to a system, so stop RSA-4096 virus immediately if it is contracted. Trojan-ransomware enters a system through a user oversight or vulnerability and then contacts a control server to obtain an encryption key. The malware then encrypts user files and demands payment ($300 – 500 U.S) in return for file recovery. The program also attempts to delete files necessary for recovery from Shadow Volume Copies.
There are no common reported methods of entry yet showing for this infection, though this family enter in the following ways: through opening unsolicited spam e-mail with attachments or macros that contain the trojan element; by clicking on compromised or fake pop-ups usually offering freeware updates or security scans; as a result of an exploitation kit attack targeting system/software vulnerabilities on ‘sites compromised by hackers; file-sharing on P2P/torrent-sharing ‘sites; installing freeware/pay-per-install downloads without proper care; through a manual hack via an unprotected network/remote access connection (variants like this often have the ability to infect via network shares). Occasionally, the infection can enter by the use of an infected external device. As can be seen from these routes, it is possible to avoid RSA-4096 virus by system maintenance and careful operating.
This variant was first detected in December of last year and thought to be a variant of the TeslaCrypt ransomware which appeared about a year ago, though no diagnostics have yet been undertaken. The connection is that it ascribes encrypted files with .vvv extensions, the same as with some variants of TeslaCrypt 3.0. There is a flaw with this malware in that the key is stored on the victim’s drive and recoverable and with the decoder, files are recoverable if the key is retrieved in time (read this article for details).
The encryption used is Advanced Encryption Standard or AES 256, though on the ransome note and wallpaper that are generated after file encryption, the victim is told that the encryption code is RSA 4096. Stating that this more complex and totally different encryption has been used is designed to scare the user more – there is even a link to the above wikipedia page on RSA encryption for the victim’s reference which includes details of its link with British security services – all drama for effecting successful payment.
Many past (and ‘successful’) malware infections have used AES 256 encryption, as well as RSA 2048 (the CryptoWall ransomware for example), though there is no practical reason for hackers to step up to RSA 4096. Why? Because the lower level of encoding works just fine. There are two ways to decrypt encoded files, the first is to discover the private key. This is possible when there is a flaw in the malware that allows the key to be recovered from the infected system, or when the keys are seized from control servers that are taken down.
The other method is ‘brute force’, which means a program must be run continually to generate all possible keys until the cypher is eventually broken. This takes a great deal of time and CPU power that is just not possible to achieve on most users’ home systems, or practical on most commercial systems. And the more complex the algorithm, the more power it takes to first encrypt, then to decrypt. So – the hackers match their market and ensure that their products perform efficiently for their ‘customers’. If for example, the victim’s system crashed when the ramsomware started work, this would delete a potential ‘customer’ and loose a possible ransom payment. There have been cases of computers crashing and technicians discovering the real cause for this during repair. It is thought that this happens regularly and is often undiscovered if the user chooses to have a complete new hard-drive installed. If the encryption is completed, then the system crashes after the payment of the ransom – whilst running the purchased key – when word got out, this would totally destroy the extortion market for the hackers.
There is no doubt that when processing power generally increases, that the malware will move with the times, though for now, RSA 4096 algorithm use is a scare tactic – though this virus is real, and it’s important eradicate RSA-4096 virus as soon as possible.
Detecting and dealing with this ransomware
Due to the evasive and evolving nature of trojan-ransomware, many security programs may fail to detect RSA-4096 virus. There are manual signs to watch for; increased CPU drain, perhaps leading to programs prematurely closing, and possible freezing of the visual display; increased port use or unprompted connections being made to the internet as the trojan tries to communicate; slower all-round operating speeds and delay in Start-Up. If any of these signs are noticed, look for user files with changed extensions to .vvv. If any are found, disconnect from all internet and network connections and save unaltered files to external storage if no existing backup is available; place any encrypted ones in a folder. See below for details on how to remove RSA-4096 virus and how to decrypt files if required (it may be necessary to download instructions and the decryption program to another system, and introduce this via a flash drive or disk as the infection may try to block downloading). After it has been dealt with, try to identify how this infection gained entry to prevent further malware problems.
How to prevent RSA-4096 virus
The thing to remember in prevention is that all malware must be permitted to enter – through user-error or system weakness. If the above entry methods are studied and understood, it is possible to operate normally and risk-free. Safely installing software is straightforward with the use of Advanced/Custom install. Browsing can be strengthened by keeping up-to-date with browsers and applying the latest system patches (adjust browser settings to maximum privacy and ‘site warning, disallowing add-ons, plugins, &c). A good firewall set to disallow communication with the networks TOR and I2P will disable many ransomware infections, should they manage to enter, as will denying unauthorized port use. Ensure that a firewall covers ALL possible entry points – including wireless/remote access and networking. Delete any ‘mail from unrecognized addresses, however inviting or demanding it seems, or scan whilst in the inbox unopened by left-clicking and selecting View Source to read the contents. Good security software will help for regular system scans. Tighten Software Restriction Policies (see Microsoft website for details), this will disallow malware running unnoticed in a system. This and all infections can be kept away with a little thought and planning.