There's a new breed of ransomware in town, and it raises the stakes compared
to previous viruses of this sort. Both Sinowal.FY and Gpcode.ai have been
identified by security companies
PandaLabs
and
Kaspersky Lab
as malicious strains
of older Trojans that encrypt users' files so that they can no longer be
accessed. The Trojan then plants a readme.txt where users will find it, and
inside, demands $300 in order to decrypt the files.
The ransom note tells the user in broken English that the files have been
encrypted using RSA-4096 and
that unless cold, hard cash is forked over within a period of time, the content
of the files will be shared with the world and then deleted. However, PandaLabs
says that these are empty threats—the files merely remain encrypted
on the user's computer. Not only that, but Kaspersky Lab analyst Aleks Gostev
claims that the Trojan actually has a limited shelf life of between July 10 to July
15 (for reasons only the Trojan-writers understand). He also points out on
his personal
blog
that the
Trojan-writers' claim of having used an RSA-based algorithm is false: "[T]here's
no sign of RSA-4096," Gostev writes.
PandaLabs points out that this is not the first time such a Trojan has made
the rounds, citing PGPCoder as having a "long record on the ransomware
scene." Ransom.A is another Trojan that presented to the user both a
shorter time frame and a significantly lower bounty—a file was to be
deleted every 30 minutes unless the user paid up the ransom of $10.99. Finally,
Arhiveus.A also encrypted user files, but instead of demanding money, instead
demanded that the user purchase products from an online drug store.
There appears to be no information available regarding what happens when
the user attempts to contact the address in the e-mail or whether the alleged
decrypting software actually does the job it's supposed to do. Gostev places
a strong warning on his blog, however, saying that if you find yourself infected
with Sinowal.FY, Gpcode.ai, or any other type of ransomware, do not pay up
"under any circumstances." It also doesn't appear as if there is
currently any antivirus solution that can help decrypt the files once they
are encrypted, although Gostev says that the Kaspersky Lab team is currently
working on a decryption routine.
PandaLabs says that in many of the infected machines, ports were open that
allowed the computers to act as socket servers for the Trojan, indicating
that it spreads through a network instead of via file attachments. Of course,
the best answer to ransomware is to have a good preventative solution, else
you might find yourself either forking over $300 or restoring your data from
backups (and you
do
have those backups, right?) Users can check to
see if their machines are infected by going to
InfectedorNot
.
The readme.txt
reads
like this:
Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA).
You will need at least few years to decrypt these files without our software.
All your private information for last 3 months were collected and sent to
us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at [e-mail address varies] and provide
us with your personal code [code varies]. After successful purchase we will
send your decrypting tool, and your private information will be deleted
from our system.
If you will not contact us until 07/15/2007 your private information will
be shared and you will lost all your data.
Glamorous team
P.S. All your base... ah, nevermind.