New wave of ransomware hits PCs
Russians demand $300 for file decryption key.
By Gregg Keizer, Computerworld | Computerworld UK | Published: 04:30, 17 July 2007
Ransomware last seen in 2006 has reappeared to encrypt files and extort $300 from its victims, according to Russian security researcher.
GpCode, a Trojan program which last appeared in the wild last summer, has popped up again, said Aleks Gostev, senior virus analyst with Moscow-based Kaspersky Lab, in a posting to the research centre's blog.
Noting the long quiet time, Gostev added: "So you can imagine our feelings this weekend, when some of our non-Russian users told us their documents, photos, archive files etc. had turned into a bunch of junk data, and a file called 'read_me.txt' had appeared on their systems."
The text file contained the "ransom" note.
"Hello, your files are encrypted with RSA-4096 algorithm. You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300."
So-called ransomware typically follows the GpCode pattern: malware sneaks onto a PC, encrypts files, and then displays a message demanding money to unlock the data.
Gostev hinted that the blackmailer was likely Russian. "The email address is one that we've seen before in LdPinch and Banker [Trojan horse] variants, programs which were clearly of Russian origin," he said.
The blackmailer's claim that the files were enciphered with RSA-4096 -- the RSA algorithm locked with a 4,096-bit key - is bogus, said Gostev. Another oddity, he added, was that the Trojan has a limited shelf life: from 10 July to 15 July.
"Why? We can only guess," said Gostev.
Kaspersky is working on a decryption scheme to recover the files; that process has been the usual salvation - and solution - for users attacked by ransomware. "[But] we'd just like to remind you, if you've fallen victim to any type of ransomware, you should never pay up under any circumstances.
"Contact your anti-virus provider, and make sure you back up your data on a regular basis."