New ransomware holds Windows files hostage, demands $50
'Sobering' turn by crooks 'doesn't bode well,' says researcher
Computerworld - Cybercrooks have hit on a new twist to their aggressive marketing of fake security software and are duping users into downloading a file utility that holds users' data for ransom, security researchers warned today.
While so-called scareware has plagued computer users for months, those campaigns have relied on phony antivirus products that pretend to trap malware but actually only exist to pester people into ponying up as much as $50 to stop the bogus warnings.
The new scam takes a different tack: It uses a Trojan horse that's seeded by tricking users into running a file that poses as something legitimate like a software update. Once on the victim's PC, the malware swings into action, encrypting a wide variety of document types -- ranging from Microsoft Word .doc files to Adobe Reader PDFs -- anytime one is opened. It also scrambles the files in Windows' "My Documents" folder.
When a user tries to open one of the encrypted files, an alert pops up saying that a utility called FileFix Pro 2009 will unscramble the data. The message poses as an semiofficial notice from the operating system. "Windows detected that some of your MS Office and media files are corrupted. Click here to download and install recommended file repair application," the message reads.
Clicking on the alert downloads and installs FileFix Pro, but the utility is anything but legit. It will decrypt only one of the corrupted files for free, then demands the user purchase the software. Price? $50.
"This does look like a new tactic," said David Perry, the global director of education at antivirus vendor Trend Micro Inc. "But all online fraud is just minor variations of classic con games. This is just the 'Bank Examiner' played out on the Internet."
That classic con, said Perry, typically involves a swindler posing as an official, a bank examiner or an FBI agent who asks for help in an investigation. The swindler convinces the mark to withdraw money from the bank -- it's needed to catch the nonexistent crook in the act -- and promises to return the funds at the end of the case. Of course, the money vanishes, along with the grifter.
On the Web, data-hostage scams like this are called "ransomware" for obvious reasons. This isn't the first time the tactic has been used, but it is remarkably polished, said Perry. "We've not seen ransomware with this level of sophistication," he said.
Users who have fallen for the FileFix Pro 2009 con do not have to fork over cash to restore their files, according to other researchers, who have figured out how to decrypt the data. The Bleeping Computer site, for instance, has a free program called "Anti FileFix" available for download that unscrambles files corrupted by the Trojan horse. And security company FireEye Inc. has created a free online decrypter that also returns files to their original condition.
Alex Lanstein, a malware researcher at FireEye who blogged about FileFix Pro 2009 last week, called the turn from scareware to ransomware "sobering."
"Although we broke the encryption, it's a sobering realization of the state of malware that it is now actively extorting users by holding their data ransom," Lanstein said. "Despite this version of FileFix being trivial to crack, it does not bode well for the future of Internet malware."
If ransomware follows a similar path as scareware, criminals will be hustling to mimic FileFix Pro. According to some estimates, crooks make as much as $5 million a year pushing fake antivirus software.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts