Browse archive

Latest news

The security of WordPress plugins

How to detect hidden administrator apps on Android

Key obstacles to effective IT security strategies

CyanogenMod founder aims to thwart data-grabbing apps

Businesses not fully implementing infosec programs

Is accessing work apps on the move destructive?

Microsoft releases Enhanced Mitigation Experience Toolkit 4.0

New regulation for ENISA, the EU cybersecurity agency

F-Secure advances fight against exploits

Free anti-spam software for the Mac

Information security executives need to be strategic thinkers

U.S. tech companies sharing bug info with U.S. govt before releasing fixes

Account takeover attempts have nearly doubled

It takes 10 hours to identify a security breach

Guccifer hacks U.S. nuclear security agency chief

British GCHQ spied on G20 delegates to gain advantage in talks

Hacking charge stations for electric cars

Assorted ransomware targeting users

Posted on 13.04.2012

A slew of ransomware has been detected by a number of security companies in the last few days.

Trend Micro researchers have spotted a ransomware variant that overwrites the Master Boot Record (MBR) - very similar to ones detected last year, and the year before that - and F-Secure, Bitdefender and Dr. Web researchers have all practically simultaneously discovered a variant that encrypts all documents, images and shortcuts.

The MBR-hijacking ransomware prevents the operating system from loading by overwriting the MBR with its own malicious code.

It then restarts the computer and shows a message to the user saying that the PC is blocked and requesting him to pay up 920 Ukrainian hryvnias (around $115) via QIWI payment service to a defined purse number in order to receive the code that unlocks the computer.

The file-encrypting ransomware variant detected by the aforementioned three security firms searches all folders on the system and encrypts almost everything found in them and adds the .EnCiPhErEd extension to the files.

It also drops in every folder a text file named HOW TO DECRYPT FILES.txt, which contains the instructions for getting rid of the ransomware:

And just so the user can't miss it, the same warning pops up again in a window.

According to F-Secure, this particular piece of malware drops a copy of itself in the system's temp folder with a random name.

"It creates registry entries to associate the .EnCiPhErEd extension with itself, so that the temp folder copy will be launched whenever those files are run, in order to demand the decryption password," explain the researchers. "After five attempts it will no longer accept passwords. And it then deletes itself, leaving your data encrypted."

They believe that the malware is being dumped on unsuspecting users via malicious tags in sites and forums.

Dr. Web researchers warn users who get infected with it not to reinstall their machines or try to restore the encrypted data on their own.

Instead, they ask them to contact the firm's technical support and attach one of the encrypted files in the email, so that they may send them (free of charge) instructions for reverting the action of the malware.