Devious ransom trojan takes data hostage

Taking data hostage is not a new invention in the world of cybercrime but a trojan currently infecting computers does it in a way that can leave the victim unaware that he has been scammed.

Mikko Hypponen, CRO at F-Secure, says, “When the W32/DatCrypt trojan infects a computer, it makes it seem as if some files, such as Microsoft Office documents, video, music and image files have been “corrupted”, when the files have in fact been encrypted by DatCrypt. Next the trojan creates what looks like an authentic message from Windows, advising the user to download and execute the “recommended file repair software” called Data Doctor 2010.”

If this utility is downloaded and executed, the user receives a message that it can “only repair one file in unregistered version”. In order to repair — or more accurately, decrypt — more files, the user has to buy the product for $89.95. After the money is paid, the software does return access to the files.

Mikko Hypponen continues, “This trojan works in a very devious way. The user is probably very relieved to get his files back and may not realize that he has just paid a ransom for his own files. The user may even recommend what seems like an excellent file recovery product to his friends. Similar ransomware tricks have also involved the File Fix Pro utility during the past year.”

These criminal schemes only work if the user has not backed up his important files elsewhere. F-Secure recommends that everyone backs up their important files regularly, either on removable media like CDs, DVDs or USB thumb drives, or with online resources.