The first one is similar to the GpCode Trojan that has been detected in 2004 and whose variants have been making a regular appearance until 2008. It usually encrypts the data, and the chances of getting it back are low.
This new, improved version overwrites the data that has been encrypted instead of deleting it - making it impossible for the users to recover it with data-recovering tools.
The malware uses various encryption algorithms, and encrypts only part of the data. Kaspersky's researcher advises victims not to make changes in their system if they notice they have been hit, until a solution to the problem of recovering the data is found.
He also points out that if you see the following text pop up in a text file on your computer or on your background image, you should immediately shut down the computer to prevent at least some of the data to be encrypted:
The second one piece of ransomware found today was one that overwrites the master boot record (MBR), reboots the victim's computer, and shows this message:
Luckily for the victims, the claim that the drives and files are encrypted is false - the original MBR has only been overwritten with the malicious one, and the original is save on a sector of the disk.
The researcher offers two possible ways to restore the original MBR. First, you should try entering the password aaaaaaciip or aaaaadabia (depending on the variant of the malware), and if that doesn't work, use Kaspersky's tool for disk rescue. In any case, don't visit the website mentioned in the message and pay the $100 to have your data back.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.