Cryptoviral extortion using Microsoft's Crypto API


This paper presents the experimental results that were obtained by implementing the payload of a cryptovirus on the Microsoft Windows platform. The attack is based entirely on the Microsoft Cryptographic API and the needed API calls are covered in detail. More specifically, it is shown that by using eight types of API calls and 72 lines of C code, the payload can hybrid encrypt sensitive data and hold it hostage. Benchmarks are also given. A novel countermeasure against cryptoviral extortion attacks is shown that forces the API caller to demonstrate that an authorized party can recover the asymmetrically encrypted data.

This is a preview of subscription content, log in to check access.


  1. 1.

    Bates, J.: Trojan Horse: AIDS information introductory diskette version 2.0. In: Wilding, E., Skulason, F. (eds.) Virus Bulletin. Virus Bulletin Ltd., Oxon, UK (1990)

  2. 2.

    Bates, J.: High level-programs and the AIDS Trojan. In: Wilding, E., Skulason, F. (eds.) Virus Bulletin. Virus Bulletin Ltd., Oxon, UK (1990)

  3. 3.

    Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) Advances in Cryptology—Eurocrypt 1994, pp. 92–111. (Lecture Notes in Computer Science 950). Springer, Berlin Heidelberg New York (1994)

  4. 4.

    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981)

    Article  Google Scholar 

  5. 5.

    Department of Defense: National Industrial Security Program Operating Manual 5220.22-M. U.S. Government Printing Office, Washington, DC (1995) %%ISBN 0-16-045560-X

  6. 6.

    Golle, P., Boneh, D.: Almost entirely correct mixing with applications to voting. In: Sandhu, R., Jajodia, S. (eds.) Computer and Communications Security—CCS 2002, pp. 59–68. ACM, New York (2002)

  7. 7.

    Grimes, R.: Malicious Mobile Code. O'Reilly and Associates, Sebastopol, CA (2001)

  8. 8.

    Gülcü, C., Tsudik, G.: Mixing e-mail with Babel. In: Neuman, B., Balenson, D. (eds.) Symposium on Network and Distributed System Security—SNDSS 1996, pp. 2–16. IEEE Computer Society, Washington, DC (1996)

  9. 9.

    Jakobsson, M.: A practical mix. In: Nyberg, K. (ed.) Advances in Cryptology—Eurocrypt 1998, pp. 448–461. (Lecture Notes in Computer Science 1403). Springer, Berlin Heidelberg New York (1996)

  10. 10.

    National Bureau of Standards: DES Modes of Operation. Federal Information Processing Standards Publication 81. National Technical Information Service, Springfield, VA (1980)

  11. 11.

    National Institute of Standards and Technology: Announcing Draft Federal Information Processing Standards (FIPS) 180-2, Secure Hash Standard, and Request for Comments. Federal Register 66(104), 29287 (2001)

    Google Scholar 

  12. 12.

    National Institute of Standards and Technology: Announcing Approval of Federal Information Processing Standard (FIPS) 180-2, Secure Hash Standard; a Revision of FIPS 180-2. Federal Register 67(165), 54785–54787 (2002)

  13. 13.

    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Google Scholar 

  14. 14.

    Schechter, S., Smith, M.: How much security is enough to stop a thief?: the economics of outsider theft via computer systems and networks. In: Wright, R. (ed.) Financial Cryptography – FC 2003, pp. 122–137. (Lecture Notes in Computer Science 2742). Springer, Berlin Heidelberg New York (2003)

  15. 15.

    Skulason, F.: Virus dissection: disk killer. In: Wilding, E., Skulason, F. (eds.) Virus Bulletin. Virus Bulletin Ltd., Oxon, UK (1990)

  16. 16.

    Young, A.: Building a cryptovirus using Microsoft's Cryptographic API. In: Zhou, J., Lopez, J., Deng, R., Bao, F. (eds.) Information Security Conference—ISC 2005, pp. 389–401. (Lecture Notes in Computer Science 3650). Springer, Berlin Heidelberg New York (2005)

  17. 17.

    Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: McHugh, J., Dinolt, G. (eds.) Symposium on Security & Privacy, pp 129–141. IEEE Computer Society, Washington, DC (1996)

Download references

Author information



Corresponding author

Correspondence to Adam L. Young.

Additional information

Adam L. Young received a B.S. in Electrical Engineering from Yale in 1994 and a M.S. and Ph.D. in Computer Science from Columbia University in 1996 and 2002, respectively. He served as a MTS at Lucent under Michael Reiter, a Principal Engineer at Lockheed Martin, and has conducted research for the US DoD. Adam Young and Moti Yung authored the Wiley book “Malicious Cryptography:Exposing Cryptovirology,” that was published in 2004.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Young, A.L. Cryptoviral extortion using Microsoft's Crypto API. Int. J. Inf. Secur. 5, 67–76 (2006).

Download citation


  • Cryptovirus
  • Public key cryptography
  • Hybrid encryption
  • Cryptographic API
  • RSA