Sophos Cloud Optix
The latest iteration of ransomware proclaims to be from the “Stop Online Piracy Automatic Protection System”.
SOPA, you might recall, was a controversial US law that was widely opposed by internet users earlier this year. It never became law.
It goes on to tell you that your computer is on a “S.O.P.A. IP Black List” because it was used to download copyright infringing materials, child pornography or illegal software.
The malware encrypts all of your data files and holds them hostage, offering to decrypt them if you pay a fee to the criminals.
As we saw before they are asking for $200 in fines that can be paid by MoneyPak. Green Dot MoneyPak is a cash equivalent prepaid card available at many popular US retailers.
Fraud using MoneyPak has become enough of a problem that the company has posted a prominent warning to victims urging them not to send payments to any company not on MoneyPak’s approved list.
For some reason Americans and Canadians get a discount as they are requesting 200 Euros for victims outside North America.
The usual 72 hour warning is present, letting you know that if you don’t pay up within 3 days they will delete all of your precious data.
One thing I hadn’t seen before is a decryption test service. If you are willing to mail off one of your encrypted documents with your unique ID number the criminals will decrypt it for you to demonstrate they do in fact possess the keys.
If you end up infected by this, I would strongly urge you not to give in to the criminals demands. The best course of action is to restore from a backup to a nice clean system and be sure to apply all patches and security precautions.
As the number of ransomware cases continues to increase we are seeing new social engineering techniques being used to convince victims to pay up or lose everything.
My colleague Paul Ducklin has written about ransomware families like the FBI-spoofing Reveton before, even producing a video demonstrating how ransomware works.
(Enjoy this video? Check out more on the SophosLabs YouTube channel.)
In Australia, we lost all our dental data after a demand of $3000… yes, three thousand!
Dr Julian
Do you protect against this? Normally you name what the sophos virus name is.
Chester,
Its amazing to see how creative malicious individuals can become when it comes to use social engineering for financial gain.
I have been doing some research on a related area, Active Directory Privilege Escalation, which together with social engineering could be used to gain administrative access over corporations and organizations.
It seems that basic computing awareness policies aimed at helping end users detect and avoid social engineering attacks could help thwart such attacks.
Thanks for sharing – very interesting.
I'm not sure if this post will be allowed since I'm mentioning I use Norton.
I have Norton Internet Security installed on this pc & the Norton/Symantec forum is very busy with new postings of this "moneypac" issue on their computers.
Also the forums have been very active with postings of "Trojan gen.2 and zeroaccess infection". From what I've been reading in the posts, Norton can't stay ahead of the infections from the last two, due to the bad guys constantly making new variations.
Does Sophos do a better job at preventing infections from these nasties or do all anti-virus, internet suites, lag behind the bad guys?
I know no "security suite" is going to be 100% effective every day, but I'm starting to feel like we're in a time the bad guys are winning in critical areas.
Never mind, after some reading I've found zeroaccess or variations actually install right into critical system files, make registry changes etc. And no security suite is going to remove critical boot files etc in order to clean the system only to leave it unbootable.
It seems p2p downloads, java, flash, drive-by infections, twitter, links in email, pdf etc appear to be some of the ways these variations are getting in.
And some of the infected websites are not what the average person would ever think would be risky.
Well, if nothing else, I can now take solace in the fact I've signed up "unlock@sopasystem.com" to a hell of a lot of spam
Doubt it'll do any good, since the DNS now points to 127.0.0.1 – looks like someone did us a favour and blackholed the domain.
It'd be interesting to see an analysis of how the "encryption" works, considering it's often something as dumb as an xor of the first 64 bytes of the file with a hard-coded or generated value. If so, it should be trivial to write a tool (or script) that fixes the problem.
Oh, and for funsies, here's the DNS registration information for that domain:
+86.5922577888 fax: +86.5922577111
No. 61 Wanghai Road Xiamen Software Park
xiamen fujian 361008
cn
Likely fake, but always interesting to see 🙂
If you've been hit by this, perhaps the Previous Versions feature (if your version of Windows has it) will enable you to retrieve the unencrypted data – after you've removed the malware.
Otherwise, this manner of threat seems a good prompt to consider subscribing to a version-controlled cloud syncing service. (More radically: http://nakedsecurity.sophos.com/2012/10/03/callin…
Okay whoever is doing this is getting very nasty and very dangerous.Hope the FBI or other authorities catch them and give them a nice,long stay in a Federal Prison for committing these malicous and illegal activities.