Relatively
unknown, in this virtual world, is the term Ransomware.
Ransomware is malware, usually a trojan, that litterally kipnappes
a computer and demands for a Ransom.
After ransomware has installed itself on a computer, it will display a
message, telling that the computer has been taken over and that the
only way to release it, is to meet the demand for some sort of
ransom.
Usually this means a transfer of a certain amount of money to a
online bank-account.
Failing to do so, the message says, will result in severe penalties,
like deleting files (sometimes in a certain time-interval, to enforce
the ransom-demands) or just redering the operating system useless.
Some ransomware-variants will spawn itself thru-out the system, trying
to make sure that removal is difficult. Others just do their job and
remove themselves.
Trojan.Aids(aka Aids Info Disk, PC Cyborg
Trojan)
Trojan Aids, made in 1989 by
Dr. Joseph Popp, was the first ransomware-trojan.
It was distributed on a diskette, called the AIDS Information Introductory Diskette, wich was spread by mail from a
mailing-list of Dr. Popp.
On execution, the trojan installed itself on the computer and replaced
the autoexec.bat. The trojan's autoexec.bat counted the number
of times that the computer booted. When the count reached 90,
the trojan renamed all the files on the computer, using a
specially designed encryption-table, and demanded the payment
of US$ 378 for renewal of the license, to be paid to the PC
Cyborg Corporation.
(After his arrest, for 11 counts of blackmailing, Dr. Popp
claimed that the money was ment for Aids-research (hence the name of
the trojan).)
There was at least one variant made, wich did not wait, but renamed all
the files on the computer upon the next boot.
Trojan.Aids was first identified and analysed by Jim Bates.
There are 2 reliable removal-tools, specially designed for trojan.Aids;
AidsOut, wich removes the trojan, and ClearAid, wich reverses the encryption.
Trojan.GPCoder
(aliases: PGPcoder,
GPCode)
This is a general description of the
ransomware-trojan GPCoder. Known variants: A, AC, AD, AE, AF, AG, B, F
The second Ransomware-trojan was Pgcoder, launched as
trojanGPCoder.B in december 2004, wich encrypts data-files with the
extentions .xls,
.doc, .txt, .rtf, .zip, .rar, .dbf, .htm, .html, .jpg, .db, .db1, .db2,
.asc and .pgp
It then creates a text-file, in the
folders where it has hijacked files, called ATTENTION!!!.txt.
This file contains the following text: Some
files are coded.
To
buy decoder mail: n781567@yahoo.com
with
subject: PGPcoder 000000000032
When PGCoder has encrypted all the
files with the pre-determined extentions, it removes itself from
registry, disk and memory.
Trojan.Cryzip
(aliases: Zippo)
Trojan.Cryzip was launched in the
beginning of March 2006.
Cryzip uses a commercial Zip-library to store hijacked files in a
password-protected ZIP-File.
Upon execution, the trojan searches all folders, exept System- and
System32-folders, for files with the extention .arh, .asm, .arj, .bas,
.cdr, .cgi, .chm, .cpp, .db1, .db2, .dbf, .dbt, .dbx, .doc, .dpr, .dsw,
.frm, .frt, .frx, .gtd, .gzip, .jpg, .key, .kwm, .lst, .man, .mdb,
.mmf, .old, .p12, .pas, .pak, .pdf, .pgp, .pwl, .pwm, .rar, .rtf,
.safe, .tar, .txt, .xls, .xml
and .zip, wich it will store in a ZIP-file called
[original-file-name-&-extention]_CRYPT_.ZIP and after wich it will delete the
original.
After processing the files in a folder, the trojan also leaves a
textfile AUTO_ZIP_REPORT.TXT with the following text: OUR
E-GOLD ACCOUNT: XXXXXXX
INSTRUCTIONS
HOW TO GET YUOR FILES BACK
READ
CAREFULLY. IF YOU DO NOT UNDERSTAND, READ AGAIN.
This
is automated report generated by auto archiving software.
Your
computer catched our software while browsing illigal porn
pages,
all your documents, text files, databases was archived
with
long enought password.
You
can not guess the password for your archived files - password
lenght
is more then 10 symbols that makes all password recovery
programs
fail to bruteforce it (guess password by trying all
possible
combinations).
Do
not try to search for a program what encrypted your information - it
is
simply do not exists in your hard disk anymore.
If
you really care about documents and information in encrypted files
you
can pay using electonic currency $300.
Reporting
to police about a case will not help you, they do not know
password.
Reporting somewhere about our e-gold account will not help
you
to restore files. This is your only way to get yours files back.
------------------------------
How
to pay to get your information back.
1.
click on this link to open your free e-gold account - the first
screen is the e-gold "terms and conditions" page. You need to
agree to these by clicking on the "I AGREE" button on the bottom
on
the page.
2.
On the next page is the sign up form:
1. "Account name" - here is where you name your account - tip:
make it easy to remember (as you will be asked for it) and
reasonably short, example, "John's e-gold", "My Money e-gold"
or perhaps "Felix" (whatever you like, just make it easy for
you to remember it).
2. "User Name" - here just repeat the account name (from 1 above).
3. "Point of Contact" - this is where you put our name, address,
phone number and email address (any email address can be used
here but it is recommended you use your ISP address - not a
free hotmail, etc address).
It is also recommended your also include a fax number
(don't have a fax number? This company offers free fax to email
services). Try and make it as easy as possible for e-gold to contact
you.
4. "Passphrase" - this is the most important piece of information
connected to any e-gold account. We can not stress enough how
important it is that your passphrase is kept safe and secure.
5. "Turing Number Entry" - type the 6 numbers you see there into the
input
box below.
6. The last step click "Open"
On
the next page it will tell you that your e-gold account number has been
emailed
to you.
check
your email - you can expect to wait up to 5 minutes for your account
number
to
arrive. If it does not arrive after 5 minutes then that means the email
address
you
supplied was incorrect and you will have to open another new account
(go through
and
repeat what you just did above again).
FINALLY
when you bought e-gold you have to transfer $300 to our e-gold account.
In
next 24 hours you will recieve $1 back to your account. Transfer details
of
this $1 transfer will have a link to software that will automatically
unzip
all your files back to normal state.
##########################################################################
Remember
you are just $300 away from your files
##########################################################################
The E-Gold account-number is picked
from a list of numbers in the DLL-file ZIPPO.dll.
In the first version of the Cryzip-trojan, also the text for the
message, aswell as the encryption-password are stored in the DLL-file.
The LURHQ Threat Intelligence Group has identified the
password as being: C:\Program Files\Microsoft Visual Studio\VC98
On may 22, LurHQ discovered a second
variant, wich doesn't have just one possible password, stored in
it's DLL-file, but downloads a random password from a list of
passwords, on a remote webserver.
Unfortunately, this makes retreaval of the hijacked files almost
impossible without meeting the demands of the blackmailer, unless
he/she is arrested and reveals the passwords.
There is also a change to retrieve the hijacked files, using a tool
like Elcomsoft's
Advanced ZIP Password Recovery tool, however to work properly, this tool needs at least one
original of the hijacked files.
Trojan.Ransom
(aliases: Randsom)
The next ransomware-variant to see
daylight was the trojan Ransom-A.
It is delivered to a computer by e-mail attachment.
Upon infection, Ransom-A will copy itself to %Start
Menu%\Startup\ as a hidden file winstart.exe,
to make sure it's started every time Windows is started.
Then, it creates the following files:
In %Windows% - svchost.exe, wpd.exe, ShutdownUtility.exe, data3.exe,
009.exe, 008.exe, 007.exe, 006.exe, 005.exe, 004.exe, 002.exe,
data2.exe, data4.exe and dat1.bat
And in %System%\oobe\setup\- corpstats.exe
It also creates the following
registry-enties: HKLM\SOFTWARE\Windows\CurrentVersion\Run cleanup
<System>\oobe\setup\corpstats.exe
HKLM\SOFTWARE\Windows\CurrentVersion\RunOnceEx cleanup
<System>\oobe\setup\corpstats.exe
May create a temporary file OZ in C:\Documents
and Settings\All Users\Application Data\ and a registry-entry HKEY_CURRENT_USER\SOFTWARE\OZ
Development\Applications. Both seems to be harmless.
After it's settled in, the trojan will display the following message: "Deleted
files are going to be saved into a hidden directory and replaced during
uninstallation."
"(1)
files are being deleted every 30 minutes"
It also shows pornografic material
and the following message: environment
locked
windows
locked
listen
up muthafucka
is
this computer valuable. it better not be.
is
this a business computer. it better not be.
do
you keep important company records or files on this computer.you'd
better hope not.
because
there are files scattered all over it tucked away in
invisible
hidden folders undetectable by antivirus sofware
the
only way to remove them and this message is by a CIDN number
This
X.aip will load everytime you start windows scattering more and more
copies of iteslf until your computer is fried to a pulp. until then you
may
even noteice other programs missing critical files.
How
to Remove it
Simple.
you must receive a CIDN: number from Western Union
go
to Western union, fill out the grey form labelled "SwiftPay" pay $10.99
as your customer access number enter "4 8 7 0 9 3 0 1 0 1 3 0 8 6 9 7"
you
may sign any name, i.e John Doe.
and
wait for a receipt from the clerk. Look on the top right-hand corner of
the receipt for a number that starts with CIDN: i.e CIDN: 203-093-1903
comback
to this computer an enter your CIDN number. The uninstall process will
begin.
note:
if you don't pay exactly $10.99 you will generate an invalid CIDN
number and be forced to start all over.
If
you have a valid CIDN: Number and have problems uninstalling send a
reuqest to
unlock3713@yahoo.com
I will research the problem and if applicable send a alternate CIDN:
universal key by email.
The trojan generates multiple
processes of itself. If such a process is killed, the trojan displays
the following message: Yeah,
We don't die, We multiply!
Ctrl+Alt+Del
isn't quite working today, is it? I'm not the sharpest tool in the shed
but
Crtl+Alt+Del
is everyone's S.O.S
Trojan.Arhiveus
(aliases: Archiveus)
The newest kid on the
Ransomware-block seems to be Archiveus, discovered on may 6, 2006
....... and it has a surprise!
Instead of demanding payment of a certain amount of money, the trojan
demands that the victim will buy pharmaceutical goods, at a price of
Us$ 75 or more, at a Russian online shop.
Another difference with the other Ransomware-variants is, that Arhiveus
doesn't encrypt files. It copies files in the My Document-folder into
one file, called EncryptedFiles.als, and removes the original. It also
creates 2 other files it the My Documents-folder, called Demo.als and
INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt
This last one contains the following instructions for the victim to get
his/her files back: INSTRUCTIONS
HOW TO GET YOUR FILES BACK
READ
CAREFULLY. IF YOU DO NOT UNDERSTAND - READ AGAIN.
This
is the automated report generated by auto archiving software.
Your
computer caught our software while browsing illegal porn
pages,
all your documents, text files, databases in the folder
My
Documents was archived with long password.
You
can not guess the password for your archived files - password
length
is more than 30 symbols that makes all password recovery
programs
fail to bruteforce it (guess password by trying all
possible
combinations).
Do
not try to search for a program that encrypted your information - it
simply
does not exist in your hard disk anymore.
Reporting
to police about a case will not help you, they do not know the
password.
Reporting somewhere about our email account will not help
you
to restore files. Moreover, you and other people will lose contact
with
us, and consequently, all the encrypted information.
WE
DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you.
You
can even EARN extra money with us.
If
you really care about the documents and information in encrypted file,
you
should follow the instructions below.
This
is your only way to get your files back and save your time.
and
enter our online pharmacy. Our online pharmacy is the world leader in
FDA
approved medications.
2.
Choose any product you like and buy it.
3.
Send an email with your order id to our email address
restoring@[blocked].net
or
restoringfiles@[blocked].com
The
password will be sent to your email address as soon as we verify your
order
id (usually 3-4 hours or shorter) and you will get your information
in
encrypted file back. All the emails with invalid order ids will be
ignored.
------------------------------
We
do not ask you for any money! We guarantee that you will receive the
product
you
buy! You can use it by yourself or even sell and earn extra money
because
all
the products in our online pharmacy are discounted!
We
guarantee that you will receive the password for encrypted file as soon
as you buy
any
product in our online pharmacy.
We
guarantee that you will be able to restore all the encrypted
information and we can
prove
it. Doubleclick on the file Demo.als and enter the following password:
kw9fjwfielaifuw1u3fw3brue2180w3hfse2
The
encrypted information will be restored in several seconds.
The
file EncryptedFiles.als is encrypted with another password which you
will receive
in
the email from us.
We
guarantee that you will never be asked to buy anything in our online
pharmacy again.
We
do not want to do you any harm, we do not ask you for money, we only
want to
do
business with you.
##########################################################################
Remember
you are just three steps away from your files
##########################################################################
(The obvious simularity of this
message with the message from Cryzip seems to be nothing else then
"copiing a good idea" ... the trojans themselves doesn't seem the be
related in any way ...)
Luckily, we have LURHQ, wich already have analyzed the trojan.
The decryption-password for EncryptedFiles.als is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
The password for demo.als is
kw9fjwfielaifuw1u3fw3brue2180w3hfse2
SOURCES:
- Several virus-descriptions of LURHQ, Symantec and Sophos
