Tag Archives: Blackmail

August 8, 2009 · 12:25 pm

Ransomware in Your Browser

image Ransomware, a vicious form of malware, is nothing new. It has been around in one form or another, since the late 1980’s.

Once installed on a victim’s computer, the Trojan will generally encrypt the victim’s files, after which the cyber-criminal demands a monetary ransom to decrypt the kidnapped files.

The ever creative cyber criminal community has now gone one better, with the release of Trojan.Ransompage. This piece of malware is designed to kidnap the victim’s Internet browser, including Internet Explorer, Firefox and Opera.

Note: The latest update of Firefox is apparently unaffected. Another good reason to update.

According to Symantec, Trojan.Ransompage “uses scare or nuisance tactics – similar to rogue antivirus programs, in an attempt to demand ransom from its victims. Once infected with Trojan.Ransompage, a victim’s browser will display a persistent inline ad on every page that the victim visits”.

image

Roughly translated from Russian, the ransom demand reads in part:

To remove the informer, send SMS message with text [5-digit number] to number [4-digit number].
Enter the code, received in response, MC

Affected Systems: Windows 95, 98, NT, 2000, XP, Vista, Server 2003

System Impact:

Deletes Files: Deletes Web Browser files.

Modifies Files: Modifies Web Browser files.

Releases Confidential Info: May send confidential information to a remote location.

Degrades Performance: Displayed image may degrade Web Browser performance.

Action you can take if infected:

According to Symantec, “the ransomware is designed to expire in 30 days, so anyone who falls victim to the infection can remove it simply by setting their system clock forward one month”.

Common sense security precautions:

Make regular backups of critical data. If you are infected this may be your only solution

Don’t store critical data on the system partition

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable scripting features in email programs

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure your anti-virus software scans all e-mail attachments

The authorities need to kick some ass here, and determine who owns the contact phone number and close it down. How hard is that?

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

8 Comments

Filed under Browsers, Don't Get Scammed, Don't Get Hacked, Firefox, Interconnectivity, Internet Explorer, internet scams, Internet Security Alerts, Malware Advisories, Ransomware, Rogue Software, scareware, Symantec, System Security, trojans, Windows Tips and Tools

Tagged as , , , , , , , , , , , , , , , , , ,

April 24, 2009 · 11:35 am

Show Me the Money – I’ll Show You Your Files (Ransomeware is Back)!

Ransom38 Have you ever considered that your computer files could be a victim of kidnapping, extortion, or blackmail? Hard to believe; right? Well believe it!

Ransomware is a vicious form of malware, given that that it encrypts the victim’s files, after which the cyber-criminal demands a ransom to decrypt the kidnapped files.

Once again ransomware is on the loose; but a little bit different in this iteration. In previous versions of this type of malware, after installation, the victim was informed that the computer’s files had been encrypted and a decrypting tool had to be purchased from the cyber-criminal in order to decrypt the affected files.

According to PandaLabs, they recently discovered a new form of ransomware, Trj/SMSlock.A, which reportedly locks the victim’s entire computer, leaving the machine essentially unusable. In line with previous versions of this type of malware, a ransom, in this case in the form of a premium SMS, is demanded to allow the victim access to the infected machine.

While the original message on an infected computer is in Russian, the following English translation has been provided by Panda.

To unlock you need to send an SMS with the text

4121800286

to the number

3649

Enter the resulting code:

Any attempt to reinstall the system may lead to loss of important information and computer damage.

ransomware

Infection methods: Floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Affected systems: Windows 2003/XP/2000/NT/ME/98/95/3.X

We should not relax our guard on this simply because this malware is currently affecting only Russian users. If previous experience is any indication (and it is), we can expect to see more of this type of malware, in a more general release, through the balance of this year.

In the event that you become infected by this piece of nasty work, check out Dr.Web, where you can obtain a generator for deactivation codes.

Reduce the possibilities of infection by this and other malware, by taking the following precautions:

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data. If you are infected this may be your only solution

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure your anti-virus software scans all e-mail attachments

Don’t store critical data on the system partition

For additional information on this type of threat see “Gpcode Trojan Ransomeware Kidnapping Again!”, on this site.

1 Comment

Filed under Don't Get Hacked, Interconnectivity, internet scams, Malware Advisories, Online Safety, Ransomware, System File Protection, System Security, trojans, Viruses, Windows Tips and Tools

Tagged as , , , , , , , , , , , , , , , , ,

December 2, 2008 · 9:32 pm

Gpcode Trojan Ransomeware Kidnapping Again!

Have you ever considered your computer files as a victim of kidnapping, extortion, or blackmail? Hard to believe; right? Well believe it! Ransomware is a vicious form of malware, taking into account that it encrypts the victim’s files, after which the cyber-criminal demands a monetary ransom to decrypt the kidnapped files.

Trend Micro Advanced Threats Researcher, Ivan Macalintal, recently reported that Gpcode ransomware is loose on the Internet once again. Regular readers of this Blog will remember two previous articles in which this virulent malware was discussed.

First encountered two years ago by Kaspersky Lab, Gpcode has undergone several incarnations, with this latest version being identified by Trend Micro as TROJ_RANDSOM.A

Reportedly, Gpcode is now using a 1,024 bit encryption key, as opposed to 660 bits in an early variant. It has been estimated it would require 30 years to break this new encryption key using a brute force attack; trying every possible password.

According to Trend Micro TROJ_RANDSOM.A:

Can be downloaded from remote site(s) by other malware

May be dropped by other malware

May be downloaded unknowingly by a user when visiting malicious Web site(s)

(Fake error message upon malware execution. Courtesty Trend Micro)

As with previous versions of this malware, after installation, the victim is informed that the computer’s files have been encrypted and a decrypting tool must be purchased, for US $307, from the cyber-criminal, in order to decrypt the affected files. Email addresses are included in order to facilitate this fraudulent purchase.

Affected systems: Windows 98, ME, NT, 2000, XP, and Server 2003.

(Process illustration courtesty of Trend Micro)

If you should become infected by this Trojan your best course of action, assuming your installed malware scanners cannot remove the infection, is to take advantage of the multiple online scanners offered by the major anti-malware software developers.

For a review and list of online malware scanners please read “Free Online Spyware/Virus Scanners – Multiply Your Protection”, on this site.

References: Trend Micro

While it has been established how Gpcode infects the victim’s machine with the Trojan, none-the-less, the following precautions are critical to the security of your system.

Most importantly – make regular backups of critical data. If you are infected this may be your only solution

Don’t store critical data on the system partition

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable scripting features in email programs

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer

Install a personal firewall on the computer

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure your anti-virus software scans all e-mail attachments

2 Comments

Filed under Don't Get Hacked, Freeware, Interconnectivity, Internet Safety, internet scams, Malware Advisories, Online Safety, Online Spyware/Virus Scanners, System Security, trojans, Viruses, Windows Tips and Tools

Tagged as , , , , , , , , , , , , , , , , , , ,

August 17, 2008 · 10:04 am

Kidnapped! – Gpcode Ransomware – Deja Vue All Over Again

When we think of kidnapping, extortion or blackmail, I think it’s safe to say, not many of us would consider our computer files as a likely victim. That is, unless we were familiar with a particular form of malware known as Ransomware.

Ransomware is a vicious form of malware, considering that it encrypts the victim’s files, and then demands a monetary ransom to decrypt the kidnapped files.

Once again the Ransomware Trojan, Gpcode/PGPCoder is on the loose. First encountered two years ago by Kaspersky Lab, this updated version of Gpcode/PGPCoder has returned, but in a much more advanced form.

Gpcode/PGPCoder is now using a 1,024 bit encryption key, as opposed to 660 bits in its last variant. It has been estimated it would require 30 years to break this new encryption key using a brute force attack; trying every possible password. Following the encryption of the target files the virus self destructs in order to evade detection.

More than 80 file-types on the PC including doc, txt, pdf, xls, jpg, png, htm, pst, xml, zip, and rar, are targeted for encryption, then the original files are deleted from the disk and replaced by an encrypted copy.

An attempt to open an encrypted file on an infected machine will produce a message similar to the following.

Hello, your files are encrypted with RSA-4096 algorithm.

You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.

To decrypt your files you need to buy our software. The price is $300.

To buy our software please contact us at: – – – –

It has not yet been determined how Gpcode/PGPCoder infects the victim’s machine with the Trojan, so the following precautions are critical to the security of your system.

  • Don’t open unknown email attachments
  • Don’t run programs of unknown origin
  • Disable hidden filename extensions
  • Keep all applications (including your operating system) patched
  • Turn off your computer or disconnect from the network when not in use
  • Disable Java, JavaScript, and ActiveX if possible
  • Disable scripting features in email programs
  • Make regular backups of critical data. If you are infected this may be your only solution
  • Make a boot disk in case your computer is damaged or compromised
  • Turn off file and printer sharing on the computer
  • Install a personal firewall on the computer
  • Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet
  • Ensure your anti-virus software scans all e-mail attachments
  • Don’t store critical data on the system partition

5 Comments

Filed under Email, Encryption, Interconnectivity, internet scams, Malware Advisories, System File Protection, System Security, Windows Tips and Tools

Tagged as , , , , , , , , , , , , , , , , , ,

June 11, 2008 · 1:30 pm

Online Extortion – Gpcode Ransomware Returns

When we think of kidnapping, extortion or blackmail, I think it’s safe to say, not many of us would consider our computer files as a likely victim. That is, unless we were familiar with a particular form of malware known as Ransomware.

Ransomware is a particular vicious form of malware, considering that it encrypts the victim’s files, and then demands a monetary ransom to decrypt the kidnapped files.

Once again the Ransomware Trojan, Gpcode/PGPCoder is on the loose. First encountered two years ago by Kaspersky Lab, this updated version of Gpcode/PGPCoder has returned, but in a much more advanced form.

Gpcode/PGPCoder is now using a 1,024 bit encryption key, as opposed to 660 bits in its last variant. It has been estimated it would require 30 years to break this new encryption key using a brute force attack; trying every possible password. Following the encryption of the target files the virus self destructs in order to evade detection.

More than 80 file-types on the PC including doc, txt, pdf, xls, jpg, png, htm, pst, xml, zip, and rar, are targeted for encryption, then the original files are deleted from the disk and replaced by an encrypted copy.

An attempt to open an encrypted file on an infected machine will produce a message similar to the following:

Hello, your files are encrypted with RSA-4096 algorithm.

You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us.

To decrypt your files you need to buy our software. The price is $300.

To buy our software please contact us at: – – – –

It has not yet been determined how Gpcode/PGPCoder infects the victim’s machine with the Trojan, so the following precautions are critical to the security of your system.

  • When surfing the web: Stop. Think. Click
  • Don’t open unknown email attachments
  • Don’t run programs of unknown origin
  • Disable hidden filename extensions
  • Keep all applications (including your operating system) patched
  • Turn off your computer or disconnect from the network when not in use
  • Disable Java, JavaScript, and ActiveX if possible
  • Disable scripting features in email programs
  • Make regular backups of critical data. If you are infected this may be your only solution.
  • Make a boot disk in case your computer is damaged or compromised
  • Turn off file and printer sharing on the computer.
  • Install a personal firewall on the computer.
  • Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet
  • Ensure the anti-virus software scans all e-mail attachments

6 Comments

Filed under Encryption, Interconnectivity, Internet Safety, internet scams, Malware Advisories, Online Safety, Safe Surfing, Spyware - Adware Protection, System Security, Windows Tips and Tools

Tagged as , , , , , , , , , , , , , , , , ,