Latest Ransomware Insists on Decryption Fee After Encrypting Files

According to security researchers at the cyber-security company 'CA,' a newly-launched variant of ransomware is aiming at widely-used file extensions like .pdf; .jpg; .zip; .txt; .jpeg; .mp3; .rar; .waw; .db; .rtf; .docx; .doc; .xlsx and .xls.

The researchers said - an e-mail message greeted recipients and it replaced the background of their desktops. It also encrypted the users' files with the 256-bit Advanced Encryption Standard (AES), leaving little opportunity for them to decrypt their locked files unless they have the encryption code. Overall, the attack appeared to have been a deception by cyber criminals, as the ransomware variant effectively encrypted the files with the help of the XOR cipher where XOR was a binary activity such as 'AND' or 'OR,' the researchers explained.

With the ransomware, a file named CryptLogFile.txt was created within the Windows directory, containing the name of each and every encrypted file. The particular .txt file carried a message worded, "very bad news" and became visible on the screen immediately after it had completed the task of encrypting the infected user's files. As per CA, the ransomware has been identified as Win32/Gpcode.J.

Describing Win32/Gpcode.J in detail, the researchers said that it partly employed RSA, the key available publicly, to lock data files. Following the encryption, the program's author demanded money in exchange for unlocking the locked data files. Thereafter, a file named 'readme.txt' emerged inside the folders containing the data files that had been encrypted. Moreover, it was written to blackmail and extort money.

The malware had been widely spammed across the entire Russian Internet space.

Thus, the researchers suggest users to be very careful of suspicious e-mail attachments. Moreover, they should not contact the malware's senders, nor make any payments to them because that would be a deterrent towards fresh variant creation. Even if the malware is unlocked, the fake malware-removal application continues to remain till special security software is installed.

According to the researchers, ransomware is fairly common nowadays, with one already joining well-known delivery mediums like scareware (fake anti-malware programs) and using the efficient SMS micro-payment process.

Related article: Latest Scam - Emails Threatening Death to Recipients

» SPAMfighter News - 11/6/2009