Drive-by ransomware attack demands $120

1 in 30 are hit by CryptoLocker, and 40% pay the ransom

Researchers at SophosLabs are analysing a new ransomware attack that appears to have hit computer users via a drive-by vulnerability on compromised websites.

Malicious hackers are spreading the ransomware, which encrypts media and Office files on victim’s computers, in an attempt to extort $120. In a nutshell – you can’t access your files because the malicious code has encrypted them (in our observations, the whole file isn’t encrypted – just the first 10% or so), and the hackers want you to pay the ransom if you want your valuable data back.

The attack, which Sophos detects as Troj/Ransom-U, changes your Windows desktop wallpaper to deliver the first part of the ransom message.

Ransomware wallpaper

The main ransom demand is contained in a text file:

Ransomware message


All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.

There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.

For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): [email address]

The HOW TO DECRYPT FILES.txt file gives an email address to contact if you wish to recover your data. In addition, there is a fingerprint hex-string in the file which changes between successive runs – the message says that victims must quote this string when making contact (presumably it is related to the actual key used for decryption).

Users have reported to us that they have received the attack via a malicious PDF which downloads and installs the ransomware. Sophos detects the PDF as Troj/PDFJS-ML.

Files with the following extensions can be affected: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx. The easiest way to identify files that have been meddled with is that their filenames will have been changed to include the suffix “.ENCODED”.

Of course, we don’t recommend paying money to ransomware extortionists. There’s nothing to say that they won’t simply raise their ransom demands even higher once they discover you are prepared to pay up.

Once again, users who make regular backups of their important data have good reason to pat themselves on the back.