Drive-by ransomware attack demands $120

Filed Under: Malware, PDF, Ransomware

Researchers at SophosLabs are analysing a new ransomware attack that appears to have hit computer users via a drive-by vulnerability on compromised websites.

Malicious hackers are spreading the ransomware, which encrypts media and Office files on victim's computers, in an attempt to extort $120. In a nutshell - you can't access your files because the malicious code has encrypted them (in our observations, the whole file isn't encrypted - just the first 10% or so), and the hackers want you to pay the ransom if you want your valuable data back.

The attack, which Sophos detects as Troj/Ransom-U, changes your Windows desktop wallpaper to deliver the first part of the ransom message.

Ransomware wallpaper

The main ransom demand is contained in a text file:

Ransomware message


All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.

There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.

For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): [email address]

The HOW TO DECRYPT FILES.txt file gives an email address to contact if you wish to recover your data. In addition, there is a fingerprint hex-string in the file which changes between successive runs - the message says that victims must quote this string when making contact (presumably it is related to the actual key used for decryption).

Users have reported to us that they have received the attack via a malicious PDF which downloads and installs the ransomware. Sophos detects the PDF as Troj/PDFJS-ML.

Files with the following extensions can be affected: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx. The easiest way to identify files that have been meddled with is that their filenames will have been changed to include the suffix ".ENCODED".

Of course, we don't recommend paying money to ransomware extortionists. There's nothing to say that they won't simply raise their ransom demands even higher once they discover you are prepared to pay up.

Once again, users who make regular backups of their important data have good reason to pat themselves on the back.

, ,

You might like

27 Responses to Drive-by ransomware attack demands $120

  1. sharon_elin · 1778 days ago

    Thank you for the reminder to back up data regularly! Am I correct to assume that a good antivirus program will block this type of program from accessing my files?

  2. Leo · 1777 days ago


    Will Kapersky Lab protect against this type of attack?

    Please advise as this had happened to me today and I have to re install my desktop parallels on my imac for windows to be re installed.

    Please advise if Kapersky Lab is sufficient in blocking this type of attack so I can prevent it from happening in the future.



  3. Bart · 1777 days ago

    So they REALLY encrypt your files, or is it just a plain old scam?

  4. Your files do end up encrypted - at least, part of them is encrypted.. which makes them next to useless.

  5. Jeff · 1777 days ago

    Sophos detected Troj/PDFJs-ML. I cleaned it, but am still having problems. My symptoms are IE opens, but will only let me go to a website wanting me to buy antivirus protection. My files are not encrypted. I can run IE normally from the admin account, but my normal user account is messed up. Can SOPHOS get rid of this? I also ran a windows malicious software removal tool, but no files were flagged as infected. Thanks, Jeff

  6. Andre · 1777 days ago

    How would having a backup help you? Why would the trojan spare files on an external drive?

    • Daniel · 1777 days ago

      You could actually read the message, a backup helps, but offcourse after you've made your backup, you should remove the backupdevice, so it's not affected by harm pointed at your PC..

    • Squirrel Solutions · 1777 days ago

      The idea of a backup is that it is kept separate from the computer so any infection on the computer can't get at the backed up files. A copy of the files on another drive attached to the computer isn't really a backup.

      • Andre · 1774 days ago

        You really think those malware developers have no idea how to access the tape interface or deselect a file in your online backup set or how to make their software wait until you either connect your backup device or until the file is purged from the online server?

        • Chris · 1774 days ago

          Sure that is very possible, but I don't think this virus is that sophisticated. It seems once your files are encrypted, the virus deletes it self. About 80% of my files were affected before I shut my computer down, and since then no more of my files have been encrypted. I think the worst has been done, I'm just waiting for someone to crack the code and post the solution so that I can decrypt my files....

  7. Dan Turner · 1776 days ago

    I have known 2 people have this, this week and this is the only news article on Google, are other antivirus manufacturers aware of it?

  8. Sean · 1776 days ago

    I had the same situation, does anyone have a recommendation how to solve this?

  9. I have a customer that has been affected by this, but I have been unable to locate the virus itself on their hard drive. I am using the latest Sophos linux version (so I don't get infected by it ;) ) and I can see all the .ENCODED files, but the actual virus is eluding me. Any pointers?

  10. Apple Diaz · 1775 days ago

    do you have the decryptor or fixtool of the encrypted files? i am infected with this virus

  11. Robert · 1774 days ago

    I sent an email to the perpetrators and got an email response telling me where to wire funds, asking it to be directly wired from a personal account. It makes me believe the idea is to have access to bank accounts. Still waiting to hear a response if it is acceptable to send funds from a neutral, third party source. Question is--does this involve trying to accumulate $120 from as many sources as possible or is it really to get account information?

    • Chris · 1774 days ago

      Hey Robert, I'm in the same boat as you. DO NOT SEND FUNDS! They will not tell you how to decrypt the files, and you will be out $120 at the very least. MOst likely we are totally scr**ed. All we can hope for is someone to find a way to crack the code and write a program that decrypts the files and then posts it for everyone else. I've searched and seen some similar viruses in the past that have been cracked. It seems this current virus is new, around Nov 26 as the first reports. So all we can do is wait and hope.

    • John · 1758 days ago

      I'd think that it's mainly about the money; if it were to gain access to account information, they'd make the amount required smaller to increase the number of people willing to pay. That said, having access to the bank accounts of the people who do pay could be considered an added bonus.

  12. Guest · 1774 days ago

    "... appears to have hit computer users via a drive-by vulnerability on compromised websites" - what is this analysis based on, and is it known how does visiting those sites affect files on the user's computer?

    • caroletheriault · 1773 days ago

      The drive-by assumption is based on our visibility into Troj/PDFJS-ML detections. Also seeing these malicious PDFs used for other malware as well, not just this ransom Trojan. (Probably kit-based, so other attacks using the same kit will use similar PDFs.)

  13. speleojazzer · 1774 days ago

    Interesting how this thread has developed. Rather more pertinent I feel is :
    (1) Presumably there is a source implicated where these offending PDFs were picked up from. How do we avoid straying into this dodgy territory ?
    (2) Given that this is criminal behaviour, how come the receiving bank accounts have not been traced and the perpetrators prosecuted ?

  14. James · 1773 days ago

    We got hit and the PDF came from sec-new-updts-ru

    • IdentityTheftCouncil · 1773 days ago

      Probably because (a) they're pretty good at hiding their tracks, and (b) they're pretty good at hiding their tracks.

      Still very easy to hack a site and upload some code. Almost as easy to move money through international accounts without leaving a useful trace.

      This type of attack is nothing new. What's most worrisome is the trend - increasingly easy to deliver malicious payloads through poorly protected sites, and increasingly creative and brazen crooks.

      And when law enforcement has largely given up on this kind of crime, just expect more of the same.

      Good reporting, Sophos, as usual.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley