Computerworld tells of a new debate over a Trojan horse that uses encryption to demand ransom from its victims:

“Your files are encrypted with RSA-1024 algorithm,” it begins. “To recovery [sic] your files you need to buy our decryptor. To buy decrypting tool contact us at: xxxxx@yahoo.com.”

Last Thursday, a Kaspersky analyst identified as “VitalyK” said that although the company had analyzed samples of Gpcode, it wasn’t able to decrypt the files the malware encoded. “We can’t currently decrypt files encrypted by Gpcode.ak,” said VitalyK in an entry to the company’s research blog. “The RSA encryption implemented in the malware uses a very strong, 1024-bit key.”

A backup of files, of course, would render this attack useless. The bigger question, perhaps, is whether an attempt by an unknown application to use the Microsoft Enhanced Cryptographic Provider could be blocked or prompt the user for confirmation. After all, since encryption is so rare, one would think any crypto activity on a system should show up as suspicious behavior. Ah, and that’s assuming you did not catch the download and installation of the Trojan horse.

Incidentally, I am really happy to see more and more people use the term “Trojan horse” instead of just “Trojan” to describe this kind of malware. I remember this was not common some time ago and it always used to grate on me that people were using the reference completely backwards. Those who forget history…