한국   대만   중국   일본 
New Trojans: give us $300, or the data gets it!
The Wayback Machine - https://web.archive.org/web/20110912140908/http://arstechnica.com:80/security/news/2007/07/new-trojans-give-us-300-or-the-data-gets-it.ars

New Trojans: give us $300, or the data gets it!

By | Published July 18, 2007 3:17 PM

There's a new breed of ransomware in town, and it raises the stakes compared to previous viruses of this sort. Both Sinowal.FY and Gpcode.ai have been identified by security companies PandaLabs and Kaspersky Lab as malicious strains of older Trojans that encrypt users' files so that they can no longer be accessed. The Trojan then plants a readme.txt where users will find it, and inside, demands $300 in order to decrypt the files.

The ransom note tells the user in broken English that the files have been encrypted using RSA-4096 and that unless cold, hard cash is forked over within a period of time, the content of the files will be shared with the world and then deleted. However, PandaLabs says that these are empty threats—the files merely remain encrypted on the user's computer. Not only that, but Kaspersky Lab analyst Aleks Gostev claims that the Trojan actually has a limited shelf life of between July 10 to July 15 (for reasons only the Trojan-writers understand). He also points out on his personal blog that the Trojan-writers' claim of having used an RSA-based algorithm is false: "[T]here's no sign of RSA-4096," Gostev writes.

PandaLabs points out that this is not the first time such a Trojan has made the rounds, citing PGPCoder as having a "long record on the ransomware scene." Ransom.A is another Trojan that presented to the user both a shorter time frame and a significantly lower bounty—a file was to be deleted every 30 minutes unless the user paid up the ransom of $10.99. Finally, Arhiveus.A also encrypted user files, but instead of demanding money, instead demanded that the user purchase products from an online drug store.

There appears to be no information available regarding what happens when the user attempts to contact the address in the e-mail or whether the alleged decrypting software actually does the job it's supposed to do. Gostev places a strong warning on his blog, however, saying that if you find yourself infected with Sinowal.FY, Gpcode.ai, or any other type of ransomware, do not pay up "under any circumstances." It also doesn't appear as if there is currently any antivirus solution that can help decrypt the files once they are encrypted, although Gostev says that the Kaspersky Lab team is currently working on a decryption routine.

PandaLabs says that in many of the infected machines, ports were open that allowed the computers to act as socket servers for the Trojan, indicating that it spreads through a network instead of via file attachments. Of course, the best answer to ransomware is to have a good preventative solution, else you might find yourself either forking over $300 or restoring your data from backups (and you do have those backups, right?) Users can check to see if their machines are infected by going to InfectedorNot .

The readme.txt reads like this:

Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA).

You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.

To decrypt your files you need to buy our software. The price is $300.

To buy our software please contact us at [e-mail address varies] and provide us with your personal code [code varies]. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system.

If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.

Glamorous team

P.S. All your base... ah, nevermind.

Loading Comments: