New Wave of Dangerous Ransomware Engulfs the Internet

01 Dec 2010
Virus News

Kaspersky Lab warns users about two highly dangerous new ransomware programs sweeping across the Internet that could potentially wipe data from victims’ computers.

One of the malicious programs is a new variant of the infamous GpCode Trojan. It targets files with a wide variety of extensions, including doc, docx, txt, pdf, xls, jpg, mp3, zip, avi, mdb, rar, and psd, and encrypts them without the user’s authorization. The corresponding Trojan-Ransom.Win32.GpCode.ax signature was added to Kaspersky Lab’s antivirus database on 29 November.

Trojan-Ransom.Win32.GpCode.ax spreads via infected sites, exploiting vulnerabilities in Adobe Reader, Java, Quicktime Player, or Adobe Flash. Unlike previous versions of GpCode that date back to 2004, this Trojan doesn’t delete files after encrypting them, but instead overwrites data in the files making it impossible to use data-recovery software to restore the deleted data. The program uses the strong RSA-1024 and AES-256 crypto-algorithms.

Kaspersky Lab experts are carefully analyzing the new version of GpCode and investigating possible ways to restore data on affected machines.

The second ransomware program, detected by Kaspersky Lab earlier this week, is a Trojan that infects the master boot record (MBR) of a compromised computer. Two signatures were added to the company’s antivirus databases: Trojan-Ransom.Win32.Seftad.a for the dropper and Trojan-Ransom.Boot.Seftad.a for instances when the MBR is infected. After infection, the malicious program overwrites the boot area before demanding that the computer’s owner makes a payment for a password that will restore the MBR. If an incorrect password is entered three times the infected computer reboots and the Trojan repeats its demand for money.

Users of Kaspersky Lab products with up-to-date antivirus databases are protected from both of these ransomware Trojans. The company also recommends that users regularly update all the software installed on their computers in order to close any vulnerabilities.

The results of Kaspersky Lab’s analysis of both ransomware Trojans is available at: www.securelist.com.