symmetry between the view of an antivirus analyst and the view of the attacker. The view of the antivirus analyst
is the malware code and the public key
it contains. The view of the attacker
is the malware code, the public key it
contains, and the corresponding private key. The malware can perform
trapdoor one-way operations on the
victim’s machine that only the attacker
can undo. A multitude of cryptovirology attacks, both overt and covert in
nature, are based on the unique advantage this gives to the attacker. These
methods weaponize cryptography as
an attack tool as opposed to the previous uses that were defensive in nature.
In our 2004 book Malicious Cryp-
tography: Exposing Cryptovirology9 we
presented the following analogy: cryp-
tovirology is to penetrating computer
systems as cryptanalysis is to cracking
ciphers. It is a proactive anticipation of
the opponent’s next move and suggests
that certain countermeasures should
be developed and put into place. To
counter cryptoviral extortion we rec-
ommended a diligent backup strategy
and searching for crypto code where it
to, respectively. We sought a digital
analogue of the facehugger, namely, a
forced symbiotic relationship between
a computer virus and its host where
removing the virus is more damaging
than leaving it in place.
But what we discovered was not exactly that which we sought. We discovered the first secure data kidnapping
attack. We called it cryptoviral extortion. In cryptoviral extortion, the attacker generates a key pair for a public
key cryptosystem and places the “
public encryption key” in the cryptovirus.
The corresponding “private decryp-tion key” is kept private. The cryptovirus spreads and infects many host
systems. It attacks the host system by
hybrid encrypting the victim’s files:
encrypting the files with a locally generated random symmetric key and encrypting that key with the public key. It
zeroizes the symmetric key and plain-text and then puts up a ransom note
containing the asymmetric ciphertext
and a means to contact the attacker.
The victim sends the payment and the
asymmetric ciphertext to the attacker.
The attacker receives the payment, de-
crypts the asymmetric ciphertext with
his private key, and sends the recov-
ered symmetric key to the victim. The
victim deciphers his files with the sym-
At no point is the private key revealed to the victims. Only the attacker
can decrypt the asymmetric ciphertext.
Furthermore, the symmetric key that a
victim receives is of no use to other victims since it was randomly generated.
We presented this attack along with
the facehugger analogy at the 1996
IEEE Security and Privacy conference. 8
The discovery was perceived as being
simultaneously innovative and somewhat vulgar. Years later, the media relabeled the cryptoviral extortion attack
as ransomware. In the conference paper we proposed that electronic money
could be extorted by the attacker. This
is what happens today using bitcoin.
We have observed that what we described over 20 years ago is the exact
“business model” used today in an estimated $1 billion-a-year criminal industry: the industry of ransomware.
We discovered that public key cryptography holds the power to break the