Ransomware Demands EUR50 after Blocking Files from Access

One fresh strain of ransomware is in circulation affecting Russia and countries of Western Europe. Many anti-virus firms are cautioning about this malware that demands a ransom of EUR50 for retrieving encrypted files, published PC Magazine on April 13, 2012.

Security researchers from Dr. Web, F-Secure and BitDefender almost simultaneously encountered the highly malicious program, which pretends to precaution the victim via pointing out the supposed "illegal programs" he's using.

BitDefender, during its research, discovered scareware, which it recognized as Trojan.Ransom.HM reportedly troubling file-sharing P2P computers, which frequently host counterfeit editions of movie, music as well as other files. Once the ransom Trojan encrypts specific files other than executables on the target computer, it tells the user that there are unlicensed software applications on his system while tries to extort money through a coding procedure by asking him to inform the code via one given Gmail address.

And soon as Trojan.Ransom.HM contaminates the victim's computer, the encryption process starts of the music, movie, shortcut, image, PDF, html and text files via extending the existing, legitimate filenames with an additional .EnCiPhErEd. The malware then alters all files' default icons that have been customized to one very familiar icon in pink.

Thereafter, F-Secure also states that the malware adds one text file with the subject "HOW TO DECRYPT files.txt" into every files of the folder that has been encoded. This text file asks for a voucher-code, worth EURO 50 through PaySafeCard/Ukash, to be dispatched at a given e-mail address so that the victimized's computer-owner may get the decryption key for unlocking his files. In favor of this amount, a victim receives a code for all the infected files. It is required to enter the code in one of the pest shown in the input mask after completing five failed attempts for deleting the files.

The encryption, which the new ransomware uses, isn't so complex compared to those of many others like Gpcode. Currently, it's being investigated to crack the new ransomware's encrypting code.

The Trojan, moreover for its text, uses English, although infections have been documented within Germany, Norway, Poland, Spain, Bulgaria, Austria, Italy etc. in addition to England. Initial demands for ransom during April 9-10, 2012 were made off non-Russian victims via the Trojan.Encoder.94 ransomware, says security research company Dr. Web.

However, according to Dr. Web, the harm by the Trojan.Encoder.94 can be countered if end-users maintain a file backup system.

Related article: Ransomware Trojan Asks for $300 for Giving User Data Back

» SPAMfighter News - 4/23/2012