Ransomware encrypts files claiming SOPA piracy charges

The latest iteration of ransomware proclaims to be from the “Stop Online Piracy Automatic Protection System”.

SOPA warning from Reveton ransomware

SOPA, you might recall, was a controversial US law that was widely opposed by internet users earlier this year. It never became law.

It goes on to tell you that your computer is on a “S.O.P.A. IP Black List” because it was used to download copyright infringing materials, child pornography or illegal software.

The malware encrypts all of your data files and holds them hostage, offering to decrypt them if you pay a fee to the criminals.

As we saw before they are asking for $200 in fines that can be paid by MoneyPak. Green Dot MoneyPak is a cash equivalent prepaid card available at many popular US retailers.

MoneyPak warningFraud using MoneyPak has become enough of a problem that the company has posted a prominent warning to victims urging them not to send payments to any company not on MoneyPak’s approved list.

For some reason Americans and Canadians get a discount as they are requesting 200 Euros for victims outside North America.

The usual 72 hour warning is present, letting you know that if you don’t pay up within 3 days they will delete all of your precious data.

One thing I hadn’t seen before is a decryption test service. If you are willing to mail off one of your encrypted documents with your unique ID number the criminals will decrypt it for you to demonstrate they do in fact possess the keys.

If you end up infected by this, I would strongly urge you not to give in to the criminals demands. The best course of action is to restore from a backup to a nice clean system and be sure to apply all patches and security precautions.

As the number of ransomware cases continues to increase we are seeing new social engineering techniques being used to convince victims to pay up or lose everything.

My colleague Paul Ducklin has written about ransomware families like the FBI-spoofing Reveton before, even producing a video demonstrating how ransomware works.

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)