Researchers at SophosLabs are analysing a new ransomware attack that appears to have hit computer users via a drive-by vulnerability on compromised websites.
Malicious hackers are spreading the ransomware, which encrypts media and Office files on victim's computers, in an attempt to extort $120. In a nutshell - you can't access your files because the malicious code has encrypted them (in our observations, the whole file isn't encrypted - just the first 10% or so), and the hackers want you to pay the ransom if you want your valuable data back.
The attack, which Sophos detects as Troj/Ransom-U, changes your Windows desktop wallpaper to deliver the first part of the ransom message.
The main ransom demand is contained in a text file:
Attention!!!
All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.
There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.
We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.
For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): [email address]
The HOW TO DECRYPT FILES.txt file gives an email address to contact if you wish to recover your data. In addition, there is a fingerprint hex-string in the file which changes between successive runs - the message says that victims must quote this string when making contact (presumably it is related to the actual key used for decryption).
Users have reported to us that they have received the attack via a malicious PDF which downloads and installs the ransomware. Sophos detects the PDF as Troj/PDFJS-ML.
Files with the following extensions can be affected: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx. The easiest way to identify files that have been meddled with is that their filenames will have been changed to include the suffix ".ENCODED".
Of course, we don't recommend paying money to ransomware extortionists. There's nothing to say that they won't simply raise their ransom demands even higher once they discover you are prepared to pay up.
Once again, users who make regular backups of their important data have good reason to pat themselves on the back.
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
![Hacked TV channels broadcast zombie apocalypse emergency alert [VIDEO]](http://sophosnews.files.wordpress.com/2013/02/zombie-thumb.jpg?w=75&h=75&crop=1)
Thank you for the reminder to back up data regularly! Am I correct to assume that a good antivirus program will block this type of program from accessing my files?
Hi,
Will Kapersky Lab protect against this type of attack?
Please advise as this had happened to me today and I have to re install my desktop parallels on my imac for windows to be re installed.
Please advise if Kapersky Lab is sufficient in blocking this type of attack so I can prevent it from happening in the future.
Thanks
Leo
I think that's a question for the folks at Kaspersky rather than us. Sorry!
I see the guys at Kaspersky Lab have now written about this attack:
http://www.securelist.com/en/blog/333/GpCode_like...
So they REALLY encrypt your files, or is it just a plain old scam?
Your files do end up encrypted - at least, part of them is encrypted.. which makes them next to useless.
Sophos detected Troj/PDFJs-ML. I cleaned it, but am still having problems. My symptoms are IE opens, but will only let me go to a website wanting me to buy antivirus protection. My files are not encrypted. I can run IE normally from the admin account, but my normal user account is messed up. Can SOPHOS get rid of this? I also ran a windows malicious software removal tool, but no files were flagged as infected. Thanks, Jeff
Hi. I would recommend getting in touch with our support guys directly - they will be best placed to assist.
Here's a link http://www.sophos.com/support/queries/
Good luck!
How would having a backup help you? Why would the trojan spare files on an external drive?
You could actually read the message, a backup helps, but offcourse after you've made your backup, you should remove the backupdevice, so it's not affected by harm pointed at your PC..
The idea of a backup is that it is kept separate from the computer so any infection on the computer can't get at the backed up files. A copy of the files on another drive attached to the computer isn't really a backup.
You really think those malware developers have no idea how to access the tape interface or deselect a file in your online backup set or how to make their software wait until you either connect your backup device or until the file is purged from the online server?
Sure that is very possible, but I don't think this virus is that sophisticated. It seems once your files are encrypted, the virus deletes it self. About 80% of my files were affected before I shut my computer down, and since then no more of my files have been encrypted. I think the worst has been done, I'm just waiting for someone to crack the code and post the solution so that I can decrypt my files....
A small piece of unique advice: You Should Have Backed-Up.
I have known 2 people have this, this week and this is the only news article on Google, are other antivirus manufacturers aware of it?
I had the same situation, does anyone have a recommendation how to solve this?
I have a customer that has been affected by this, but I have been unable to locate the virus itself on their hard drive. I am using the latest Sophos linux version (so I don't get infected by it ;) ) and I can see all the .ENCODED files, but the actual virus is eluding me. Any pointers?
If you're a Sophos customer and experiencing problems I would recommending contacting Sophos support directly for the best, speediest problem http://www.sophos.com/support
do you have the decryptor or fixtool of the encrypted files? i am infected with this virus
I sent an email to the perpetrators and got an email response telling me where to wire funds, asking it to be directly wired from a personal account. It makes me believe the idea is to have access to bank accounts. Still waiting to hear a response if it is acceptable to send funds from a neutral, third party source. Question is--does this involve trying to accumulate $120 from as many sources as possible or is it really to get account information?
Hey Robert, I'm in the same boat as you. DO NOT SEND FUNDS! They will not tell you how to decrypt the files, and you will be out $120 at the very least. MOst likely we are totally scr**ed. All we can hope for is someone to find a way to crack the code and write a program that decrypts the files and then posts it for everyone else. I've searched and seen some similar viruses in the past that have been cracked. It seems this current virus is new, around Nov 26 as the first reports. So all we can do is wait and hope.
I'd think that it's mainly about the money; if it were to gain access to account information, they'd make the amount required smaller to increase the number of people willing to pay. That said, having access to the bank accounts of the people who do pay could be considered an added bonus.
"... appears to have hit computer users via a drive-by vulnerability on compromised websites" - what is this analysis based on, and is it known how does visiting those sites affect files on the user's computer?
The drive-by assumption is based on our visibility into Troj/PDFJS-ML detections. Also seeing these malicious PDFs used for other malware as well, not just this ransom Trojan. (Probably kit-based, so other attacks using the same kit will use similar PDFs.)
Interesting how this thread has developed. Rather more pertinent I feel is :
(1) Presumably there is a source implicated where these offending PDFs were picked up from. How do we avoid straying into this dodgy territory ?
(2) Given that this is criminal behaviour, how come the receiving bank accounts have not been traced and the perpetrators prosecuted ?
We got hit and the PDF came from sec-new-updts-ru
Probably because (a) they're pretty good at hiding their tracks, and (b) they're pretty good at hiding their tracks.
Still very easy to hack a site and upload some code. Almost as easy to move money through international accounts without leaving a useful trace.
This type of attack is nothing new. What's most worrisome is the trend - increasingly easy to deliver malicious payloads through poorly protected sites, and increasingly creative and brazen crooks.
And when law enforcement has largely given up on this kind of crime, just expect more of the same.
Good reporting, Sophos, as usual.