A newly detected drive-by attack encrypts media files and Microsoft Office documents and then demands payment to have the files decrypted.
By Ron Condon, UK Bureau Chief
One more reason for keeping your Adobe Systems software up to date. Sophos Ltd. security consultant Graham Cluley is reporting a new ransomware attack that hits computer users via a drive-by vulnerability on compromised websites.
Victims are suddenly presented with a message that their files have been encrypted and that they will need to pay $120 to regain access to them.
Early investigations indicate that the attacks are delivered using an Adobe PDF exploit, but that hasn’t been confirmed. The attacks affect a wide range of media files, such as .jpeg images and .mpeg audio files, as well as Microsoft Office files. Affected files have their names changed to include a new suffix called .ENCODED.
The attack, which Sophos has identified as Troj/Ransom-U, changes the user’s Windows desktop wallpaper to deliver the first part of the ransom message, which tells the user their files have been encrypted. It adds that they must act quickly to get their files decrypted, and must not tell anyone about the attack.
According to Cluley:
Of course, we don’t recommend paying money to ransomware extortionists. There’s nothing to say that they won’t simply raise their ransom demands even higher once they discover you are prepared to pay up.
The actual ransom note, contained in a .txt file warns that the files will deleted if the ransom is not paid quickly. “We can help to solve this task for $120 via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring [sic] your message and nothing will be done,” it adds.
The user is asked to send the money and an email containing a fingerprint hex-string, which Sophos suggests is the encryption key used. Whether the decryption actually takes place after payment has not been tested.