Ransomware encrypts files claiming SOPA piracy charges

Filed Under: Data loss, Featured, Ransomware

The latest iteration of ransomware proclaims to be from the "Stop Online Piracy Automatic Protection System".

SOPA warning from Reveton ransomware

SOPA, you might recall, was a controversial US law that was widely opposed by internet users earlier this year. It never became law.

It goes on to tell you that your computer is on a "S.O.P.A. IP Black List" because it was used to download copyright infringing materials, child pornography or illegal software.

The malware encrypts all of your data files and holds them hostage, offering to decrypt them if you pay a fee to the criminals.

As we saw before they are asking for $200 in fines that can be paid by MoneyPak. Green Dot MoneyPak is a cash equivalent prepaid card available at many popular US retailers.

MoneyPak warningFraud using MoneyPak has become enough of a problem that the company has posted a prominent warning to victims urging them not to send payments to any company not on MoneyPak's approved list.

For some reason Americans and Canadians get a discount as they are requesting 200 Euros for victims outside North America.

The usual 72 hour warning is present, letting you know that if you don't pay up within 3 days they will delete all of your precious data.

One thing I hadn't seen before is a decryption test service. If you are willing to mail off one of your encrypted documents with your unique ID number the criminals will decrypt it for you to demonstrate they do in fact possess the keys.

If you end up infected by this, I would strongly urge you not to give in to the criminals demands. The best course of action is to restore from a backup to a nice clean system and be sure to apply all patches and security precautions.

As the number of ransomware cases continues to increase we are seeing new social engineering techniques being used to convince victims to pay up or lose everything.

My colleague Paul Ducklin has written about ransomware families like the FBI-spoofing Reveton before, even producing a video demonstrating how ransomware works.

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

, , ,

You might like

11 Responses to Ransomware encrypts files claiming SOPA piracy charges

  1. Julian O'Brien · 1059 days ago

    In Australia, we lost all our dental data after a demand of $3000... yes, three thousand!
    Dr Julian

  2. dontask · 1059 days ago

    Do you protect against this? Normally you name what the sophos virus name is.

  3. Nik · 1058 days ago


    Its amazing to see how creative malicious individuals can become when it comes to use social engineering for financial gain.

    I have been doing some research on a related area, Active Directory Privilege Escalation, which together with social engineering could be used to gain administrative access over corporations and organizations.

    It seems that basic computing awareness policies aimed at helping end users detect and avoid social engineering attacks could help thwart such attacks.

    Thanks for sharing - very interesting.

  4. Trent · 1058 days ago

    I'm not sure if this post will be allowed since I'm mentioning I use Norton.

    I have Norton Internet Security installed on this pc & the Norton/Symantec forum is very busy with new postings of this "moneypac" issue on their computers.

    Also the forums have been very active with postings of "Trojan gen.2 and zeroaccess infection". From what I've been reading in the posts, Norton can't stay ahead of the infections from the last two, due to the bad guys constantly making new variations.

    Does Sophos do a better job at preventing infections from these nasties or do all anti-virus, internet suites, lag behind the bad guys?
    I know no "security suite" is going to be 100% effective every day, but I'm starting to feel like we're in a time the bad guys are winning in critical areas.

    • Trent · 1057 days ago

      Never mind, after some reading I've found zeroaccess or variations actually install right into critical system files, make registry changes etc. And no security suite is going to remove critical boot files etc in order to clean the system only to leave it unbootable.

      It seems p2p downloads, java, flash, drive-by infections, twitter, links in email, pdf etc appear to be some of the ways these variations are getting in.

      And some of the infected websites are not what the average person would ever think would be risky.

  5. Tee · 1057 days ago

    Well, if nothing else, I can now take solace in the fact I've signed up "unlock@sopasystem.com" to a hell of a lot of spam

    • Graham · 1057 days ago

      Doubt it'll do any good, since the DNS now points to - looks like someone did us a favour and blackholed the domain.

  6. Graham · 1057 days ago

    It'd be interesting to see an analysis of how the "encryption" works, considering it's often something as dumb as an xor of the first 64 bytes of the file with a hard-coded or generated value. If so, it should be trivial to write a tool (or script) that fixes the problem.

  7. Graham · 1057 days ago

    Oh, and for funsies, here's the DNS registration information for that domain:

    +86.5922577888 fax: +86.5922577111
    No. 61 Wanghai Road Xiamen Software Park
    xiamen fujian 361008

    Likely fake, but always interesting to see :)

  8. njorl · 1056 days ago

    If you've been hit by this, perhaps the Previous Versions feature (if your version of Windows has it) will enable you to retrieve the unencrypted data - after you've removed the malware.

    Otherwise, this manner of threat seems a good prompt to consider subscribing to a version-controlled cloud syncing service. (More radically: https://nakedsecurity.sophos.com/2012/10/03/callin...

  9. ryan · 1034 days ago

    Okay whoever is doing this is getting very nasty and very dangerous.Hope the FBI or other authorities catch them and give them a nice,long stay in a Federal Prison for committing these malicous and illegal activities.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.