Update to the new Ransomware

For the original post see: http://www.cc-computers.com/?p=241

In the original post I talked about the new ransomware that it taking hold all over the world. It has even hit a police station in America that had to pay the “fee” to get back their data.

The latest version of this virus now takes advantage of all the help that has been available on line to “improve their product”. Now if you thought that you could get your data back through shadow copies (Also known as previous versions), think again. The virus now encrypts those too.

Here is what it does now, which is the same as before but better.

Currently the infection vector is through email as an attachment; usually a zip file or pdf that is actually an exe file but as most people have the “Hide extension of known file types” ticked on you would not normally see it. You will see filename.pdf when the actual filename is filename.pdf.exe. I expect that this will change or be improved on as well with links in email and other file types, etc.

When you open this file it infects your computer and immediately contacts a server from a list of around 1000 possible domain names generated through an algorithm. When it finds a live server it exchanges details with it and starts the encryption process. At this point it doesn’t let you know that you have been infected and is not picked up by most antivirus software. The first version would finish its work without interruption of antivirus software.

It encrypts all user content that it can find on your PC, mapped network drives and any shares that it can find on the network and file sharing programs data such as box.net and drop box. It also encrypts any shadow copies and backups that it can get to. When it has finished its work it pops up a message to tell you what it has done, it even gives you a list of the files that it has encrypted so that you can verify that they are your files. It then gives you a countdown timer starting around 72 hours. You have this amount of time to pay the fee and get your files back. Now where the old version used to just delete the key if you didn’t pay up in time the new version will give you a discount for paying within the time frame. Currently it is 1/2 bit coin (which is now about £500). If you fail to pay in time then it goes up to 10 bit coin (About £5000). This “service” is available for an extended amount of time.

In short get yourself protected and keep offline backups and redundant copies.

CritchCorp Computers Ltd.