Security Bytes

Nov 29 2010   1:23PM GMT

Ransomware encrypts files, demands $120



Posted by: ITKE
Tags:
ransomeware

A newly detected drive-by attack encrypts media files and Microsoft Office documents and then demands payment to have the files decrypted.

By Ron Condon, UK Bureau Chief

One more reason for keeping your Adobe Systems software up to date. Sophos Ltd. security consultant Graham Cluley is reporting a new ransomware attack that hits computer users via a drive-by vulnerability on compromised websites.

Victims are suddenly presented with a message that their files have been encrypted and that they will need to pay $120 to regain access to them.

Early investigations indicate that the attacks are delivered using an Adobe PDF exploit, but that hasn’t been confirmed. The attacks affect a wide range of media files, such as .jpeg images and .mpeg audio files, as well as Microsoft Office files. Affected files have their names changed to include a new suffix called .ENCODED.

The attack, which Sophos has identified as Troj/Ransom-U, changes the user’s Windows desktop wallpaper to deliver the first part of the ransom message, which tells the user their files have been encrypted. It adds that they must act quickly to get their files decrypted, and must not tell anyone about the attack.

According to Cluley:

Of course, we don’t recommend paying money to ransomware extortionists. There’s nothing to say that they won’t simply raise their ransom demands even higher once they discover you are prepared to pay up.

The actual ransom note, contained in a .txt file warns that the files will deleted if the ransom is not paid quickly. “We can help to solve this task for $120 via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring [sic] your message and nothing will be done,” it adds.

The user is asked to send the money and an email containing a fingerprint hex-string, which Sophos suggests is the encryption key used. Whether the decryption actually takes place after payment has not been tested.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: