Websense warns of new cyberattack that holds files hostage
A hacker encrypts files on a user's computer, then demands money to decrypt them
May 24, 2005 12:00 PM ETComputerworld -
A hacker has apparently found a way to encode computer files and hold them hostage until the intended victim pays for a decoder tool to unlock the files.
The original infection occurs when the user visits a malicious Web site that exploits a vulnerability in Microsoft Corp.'s Internet Explorer Web browser, according to San Diego-based Websense Inc., which uncovered the extortion attempt.
"We had a report from the field, but [we] do not divulge what our source for that is," said Dan Hubbard, senior director of security and research at Websense. "What happened was after doing some forensics on the actual computer that was infected, we noticed that the user visited a Web site that has since been shut down. And the site, through an Internet Explorer vulnerability, downloaded some code onto the machine and ran it without user intervention."
Hubbard said the sole purpose of the infection was to go to a second Web site and download another piece of code.
"So first the Trojan [horse] downloader infected the machine, then the downloader went to a second Web site and downloaded the new code and then started its process," Hubbard said. "It goes through and looks at your hard drive for around 12 different file types, including documents, photos, databases, Zip files and spreadsheets, and if it matches those file types, it actually encodes the data."
According to Hubbard, the malware goes through all drives on a machine, whether they're removable or not, and at the end of the process deletes itself -- leaving behind a text file with instructions on who to contact to have the files changed back to a readable format.
"In this particular case, the end user did contact the third party, and there was a request to deposit $200 in an E-Gold account, but that did not happen," he said.
Instead, Joe Stewart, a senior security researcher at Lurhq Corp. in Chicago, looked into the case after hearing about it and contacted Websense with a solution. "I took a look at the encryption scheme and found that it was a pretty trivial and easy to break encryption scheme," Stewart said. "So I wrote a decryptor for that and put that information out there for our customers -- to tell them that if they get hit by this, we can decrypt it and you don't have to pay this guy ransom."
That solution might not work next time, experts said.
Although this hacker used a weak form of encoding, someone in the future could use
Cybercrime/Hacking
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Data in Action: Making the Planet Smarter
Register Now
Email Archiving: A Business-Critical Application
Get this paper now!
Gene Kim's Practical Steps to Achieve and Maintain NERC Compliance
Learn seven steps operators can take to meet IT configuration requirements set forth in the NERC-CIP standards.
The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.
Not Just Words: Enforce Your Email and Web Acceptable Usage Policies
Get this paper now!
Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!
The New World of eCrime: Targeted Brand Attacks and How to Combat Them
Download This Whitepaper Now!
Manager Experience Demo
Go beyond self-service solutions to perform more effectively. Watch Now.

