From scareware to ransomware
FireEye, a malware specialist, reports that Vundo, which makes fake antivirus programs (scareware), has now started a new scam. Vundo is no longer merely alarming users with bogus warnings that their PCs have been infected to con them into buying largely useless scanning software. Their latest attacks (ransomware) encrypt all of the files (.pdf, .doc, .jpg and others) on a user's PC and then report garbled data.
System messages are sent to con the user into coughing up €50 for the full version of a "repair tool", FileFix Pro 2009. In contrast to scareware, which normally only pretends there's a problem, users are left little option, because all of their files have genuinely been encrypted – although only with a simple algorithm. FireEye doesn't say how the ransomware gets on to the computers, but it probably needs a little help from the user.
FireEye has investigated the algorithm and found that the key apparently consists of only four characters, stored at the end of an encrypted file. FireEye is providing a free Perl script and a web page implementation of the script for decryption of scrambled files. This case is similar to GPCode, a Trojan that appeared in the middle of last year, encrypting files using RSA (the Rivest, Shamir and Adleman algorithm) with a 4096-bit key.
GPCode's authors demanded that their victims shell out $300 to get their files restored. Fortunately, it was possible to reconstruct the data at a lower cost, even without the key, because GPcode wrote the encrypted version of a document into a new file and then "deleted" the original one. Since Windows only deletes a file's reference, not the actual file itself, the originals could be successfully recovered.
- New tool for GPcode trojan victims from Kaspersky, a report from The H.
- This Trojan encrypts data with RSA-4096 -- really?, a report from The H.