[ISN] Hacking extortionist resurfaces

From: InfoSec News (alerts@private)
Date: Mon Jul 16 2007 - 22:40:28 PDT


By Gregg Keizer
July 16, 2007 

"Ransomware" last seen in 2006 has reappeared and is trying to extort 
$300 from users whose files the malware has encrypted, a Russian 
security researcher said today.

GpCode, a Trojan horse which last made a run at users last summer, has 
popped up again, said Aleks Gostev, senior virus analyst with 
Moscow-based Kaspersky Lab Inc., in a posting to the research center's 

Noting the long quiet time, Gostev added: "So you can imagine our 
feelings this weekend, when some of our non-Russian users told us their 
documents, photos, archive files etc. had turned into a bunch of junk 
data, and a file called 'read_me.txt' had appeared on their systems."

The text file contained the "ransom" note.

"Hello, your files are encrypted with RSA-4096 algorithm. You will need 
at least few years to decrypt these files without our software. All your 
private information for last 3 months were collected and sent to us. To 
decrypt your files you need to buy our software. The price is $300."

So-called ransomware typically follows the GpCode pattern: malware 
sneaks onto a PC, encrypts files, and then displays a message demanding 
money to unlock the data.

Gostev hinted that the blackmailer was likely Russian. "The e-mail 
address is one that we've seen before in LdPinch and Banker [Trojan 
horse] variants, programs which were clearly of Russian origin," he 

The blackmailer's claim that the files were enciphered with RSA-4096 -- 
the RSA algorithm locked with a 4,096-bit key -- is bogus, said Gostev. 
Another oddity, he added, was that the Trojan has a limited shelf life: 
from July 10 to July 15.

"Why? We can only guess," said Gostev.

Kaspersky is working on a decryption scheme to recover the files; that 
process has been the usual salvation -- and solution -- for users 
attacked by ransomware. "[But] we'd just like to remind you, if you've 
fallen victim to any type of ransomware, you should never pay up under 
any circumstances.

"Contact your anti-virus provider, and make sure you back up your data 
on a regular basis."

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jul 16 2007 - 22:47:23 PDT