Spyware, Viruses and now...RansomWare!

Posted by Steve Burgess at 11/30/2009 10:07 PM
Categories: Spyware,Ransomware,Virus
Tags: Spyware Viruses RansomWare

As if regular viruses were not enough, hackers are now literally holding their victims' data hostage.Ransomware works by encrypting the user's data and then demanding payment toprovide the decryption key.

 

The latest, which CA, Inc calls"Win32/RansomSMS.AH," is bundled inside an application called"uFast Download Manager." CA announced the discovery of the hack on November 30, 2009. The bundled software installs itself without input by the user and springs a message on the unsuspecting victim. The uninstaller included with the Ransomware does not function. The message appears in a semi-opaque window and is in Russian. The approximate English translation reads:

 

   Internet access is blocked due to violation of the

   license agreement schedules of uFast Download Manager

   You must activate your copy

 

   Get a registration code by sending an SMS with the following

   code fw0004199 to number 7122


   In response you will receive an activation message.

 

   Enter the activation message received from the SMS response  ________

 

CA has made available an activation code that unencrypts the affected user files.

 

Earlier this year Kaspersky Labs identified similar ransomware, called "Gpcode.ak" This nasty malware performs 1024-bit encryption on the user's data and demands money for the decryption code. It adds the extension "._CRYPT" to the affected files, and puts a text file named "!_READ_ME_!.txt " in the same folder as the encrypted user files. The readme file includes the following text:

 

   Your files are encrypted with RSA-1024 algorithm.

   To recovery your files you need to buy our decryptor.

   To buy decrypting tool contact us at: ********@yahoo.com

 

A previous version of Gpcode wasr eleased two years before. It sported 660-bit encryption. This earlier version's encryption has been cracked, but the more recent 1024-bit encryption scheme apparently has not been. Fortunately, the "ak" version of Gpcodemakes a copy of the file, encrypts it, then deletes the original file. The unencrypted but deleted files may be recoverable.

 

What did you think of this article?




Trackbacks
Trackback specific URL for this entry
  • No trackbacks exist for this entry.
Comments
Display comments as (Linear | Threaded)
Page: 1 of 1
  • 12/1/2009 6:47 AM monique ferraro wrote:
    Thanks for the information! One question- wouldn't regularly backing up your data effectively thwart the hacker's efforts?
    Best,
    Monique Ferraro
    Reply to this
    1. 12/1/2009 9:52 AM Steve B wrote:
      Good question Monique. And the answer is an unequivocal "maybe."
      As I haven't personally dealt with either of these pieces of malware, I'm going from the reports I have read. 

      The first piece of malware discussed (Win32/RansomSMS.AH) blocks Internet access, through what process I do not know. Not knowing what file, files, registry entries or whatever else have been modified, I do not know that the given data would have been backed up. 
      So seems to me that there's a good chance a restoral from backup might not solve the problem. 
      If it is a complete disk image taken from just before the infection, I'd expect it to work, but the existence of such an image for the average user (or even the advanced forensic guru) seems unlikely.

      As for the earlier GPcode.ak, I'd say restoring from a backup of the affected files would probably work fine...as long as the old files weren't erased by a new backup. Fortunately the new, encrypted files have a different name so as long as old files aren't deleted with a new backup, the old files with their original names ought to still be available to be restored.

      Thanks for the thoughtful question. Btw - I'm impressed with how fast your site loads.

      Cheers,  Steve

      Reply to this

Page: 1 of 1
Leave a comment

Submitted comments will be subject to moderation before being displayed.

 Enter the above security code (required)

 Name (required)

 Email (will not be published) (required)

 Website

Your comment is 0 characters limited to 3000 characters.