Ransomware Scams Take Your Data Hostage
New form of malware encrypts files on a victim's computer and demands they fork over $120 if they ever want to be able to access their Office files again.
Hackers are taking a new much more direct approach to fleece unsuspecting Internet users: extortion.
According to security software vendor Sophos, malware authors have compromised a number of websites with ransomware -- essentially a Trojan that encrypts media and Microsoft Office files -- that makes it impossible for infected users to access their Word, Excel and other files.
The attack, which Sophos has identified as Troj/Ransom-U, lets users know they've been had by changing their Windows desktop wallpaper to a crude ransom note advising victims to wire $120 to an account under their control and to keep quiet about the attack if they ever want their files, including photos and videos, to be unlocked.
"All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024," the ransom note reads. "The original files are deleted. You can check this by yourself - just look for files in all folders."
"There is no possibility to decrypt these files without a special decrypt program," it adds. "Nobody can help you - even don't try to find another method or tell anybody."
Sophos security researchers said the encryption malware scam, which preys on many of the same user vulnerabilities and fears as scareware and bogus antivirus software scams, only encrypts about the first 10 percent of any compromised file.
Thus far, victims have told Sophos researchers that they initially received the attack from a malicious PDF which downloads and installs the ransomware. Sophos identified the offending PDF as Troj/PDFJS-ML.
Files that can be usurped and encrypted by the Trojan include: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx.
"Of course, we don't recommend paying money to ransomware extortionists," Graham Cluley, a Sophos security analyst wrote in the advisory. "There's nothing to say that they won't simply raise their ransom demands even higher once they discover you are prepared to pay up."
"Once again, users who make regular backups of their important data have good reason to pat themselves on the back," he added.
Keep up-to-date on desktop security issues; follow eSecurityPlanet on Twitter @eSecurityP.
By Lisa Phifer
November 05, 2010
Our expert offers the top ten ways to surf websites vulnerable to Firesheep without getting fleeced. Learn how to best defend yourself from Firesheep and other sidejacking attacks.