The program, dubbed Gpcode by the Russian antivirus firm, appears to be a Trojan horse that is spread through e-mail and USENET newsgroup postings. While previous versions have had flawed encryption implementations, the latest version -- Gpcode.ak -- appears to have eliminated the flaws that allowed reverse engineers to find earlier keys. While the malicious program has not compromised many systems yet -- Kaspersky Lab has reports of "hundreds" -- the company has made finding the 1,024-bit key a priority.

"So we're calling on you -- cryptographers, governmental and scientific institutions, antivirus companies, (and) independent researchers -- join with us to stop Gpcode," the company stated last Friday on its forum. "This is a unique project -- uniting brainpower and resources out of ethical, rather than theoretical or malicious considerations."

Gpcode first appeared in December 2004, according to Kaspersky, but the amateurish programming allowed antivirus firms to help victims decrypt their scrambled files. In June 2006, the steady improvements in Gpcode ceased and until last week, no new variants were seen, Kaspersky Lab stated.

The latest variant of the virus, first reported on June 4, appears to not have the implementation flaws of previous versions. While 1,024-bit keys are considered weak for high-security applications, the encryption is strong enough to foil reasonable attempts to brute force the solutions, said Bruce Schneier, chief technology officer for managed-security service provider BT Counterpane and an encryption expert.

"It's just not a reasonable task to ask the Internet to do," Schneier said.

Some experts criticized the company for creating a community effort around a problem that, even if solved this time around, likely will not help in the long run. Vesselin Bontchev, a well-known computer antivirus researcher, criticized the project as a "wildly optimistic" and amounting to little more than a public-relations stunt.

"The task is really hard," Bontchev said in an e-mail interview. "Grid computing would solve (the problem in) much less time, but 'much less' than half an eternity is still quite a lot."

The company's factoring project highlights that the relative ease with which antivirus companies have dealt with ransomware are at an end. Using larger keys that change on a frequent basis costs the extortionist very little, while making defenders' jobs mathematically impossible.

The company clarified, however, that it's more interested in getting help in finding flaws in the encryption implementation.

"We are not trying to crack the key," Roel Schouwenberg, senior antivirus researcher with Kaspersky Lab, told SecurityFocus. "We want to see collectively whether there are implementation errors, so we can do what we did with previous versions and find a mistake to help us find the key."

Schouwenberg agrees that, if no implementation flaw is found, searching for the decryption key using brute-force computing power is unlikely to work.

The problem is not going to get any easier.

A person, presumably the author of Gpcode, contacted at one of the e-mail addresses left behind by the program stated that future development efforts will likely increase the key size to 4,096 bits, "if AV companies or other (people) crack the current key, but (that's) impossible."

The self-proclaimed author, who used the name "Daniel Robertson," also said that other standard techniques to defeat antivirus will be added, including polymorphic encryption, anti-heuristic features and the ability to self propagate, turning the program into a computer virus.

Although extortion is not an uncommon way for online criminals to turn their illicit activities into cash, the usual technique has been the online equivalent to a protection scam -- first attacking an online site and then requesting payment to the attack to go away. Encrypting a users files and demanding payment for a key has, until now, been fairly ineffective.

This week, Kaspersky made available an add-on tool to help recover files by undeleting the data from a users' hard drive and searching for the names of the deleted files. The effectiveness of the process is typically dependent on a variety of factors, including how much free space is on the hard drive and the degree to which the victim used their computer since Gpcode encrypted the data.

For users, however, the best defense is to back up their data, and not just to an external hard drive, but to some removable storage or offsite service, said researcher Bontchev.

"The most reliable solution is backups," he said. "Treat such viruses the same way you treat data corruption viruses."

Yet, Bontchev did not hold out much hope that users will learn to better protect their data.

"It is very difficult to catch the attacker, and if user education was ever going to work, don't you think it would have worked by now?" he said.

While the writers of Gpcode took a two-year hiatus between the last version of program and the most recent one, the extortionists are unlikely to stop. "Robertson," who claimed not to be the original author of Gpcode, said development will continue in the future, because the scheme makes money.

"It well pays back itself," he said.

If you have tips or insights on this topic, please contact SecurityFocus.