Ransomware Scams Take Your Data Hostage

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Hackers are taking a new much more direct approach to fleece unsuspecting Internet users: extortion.

According to security software vendor Sophos, malware authors have compromised a number of websites with ransomware -- essentially a Trojan that encrypts media and Microsoft Office files -- that makes it impossible for infected users to access their Word, Excel and other files.

The attack, which Sophos has identified as Troj/Ransom-U, lets users know they've been had by changing their Windows desktop wallpaper to a crude ransom note advising victims to wire $120 to an account under their control and to keep quiet about the attack if they ever want their files, including photos and videos, to be unlocked.

"All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024," the ransom note reads. "The original files are deleted. You can check this by yourself - just look for files in all folders."

"There is no possibility to decrypt these files without a special decrypt program," it adds. "Nobody can help you - even don't try to find another method or tell anybody."

Sophos security researchers said the encryption malware scam, which preys on many of the same user vulnerabilities and fears as scareware and bogus antivirus software scams, only encrypts about the first 10 percent of any compromised file.

Thus far, victims have told Sophos researchers that they initially received the attack from a malicious PDF which downloads and installs the ransomware. Sophos identified the offending PDF as Troj/PDFJS-ML.

Files that can be usurped and encrypted by the Trojan include: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx.

"Of course, we don't recommend paying money to ransomware extortionists," Graham Cluley, a Sophos security analyst wrote in the advisory. "There's nothing to say that they won't simply raise their ransom demands even higher once they discover you are prepared to pay up."

"Once again, users who make regular backups of their important data have good reason to pat themselves on the back," he added.

Larry Barrett is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Keep up-to-date on desktop security issues; follow eSecurityPlanet on Twitter @eSecurityP.