New ransomware trojan encrypts files to make you pay up

A new type of ransomware has appeared, and it’s got the potential to be a lot more nasty than other trojans in the category. This as-yet unnamed trojan follows through on the threats made by other malware authors. It actually encrypts files on a PC in an attempt to force users to pay up.

Ransomware started popping up a few years ago with a now-familiar MO. An infected user is confronted by a message claiming that their PC has been somehow used in a criminal act or is at risk in some way. In order to rectify the imaginary problem, a fee has to be paid. This extortion scheme is sometimes accompanied by the locking down of parts of the system, but never before has ransomware gone to the extremes of actually encrypting files and holding them hostage. There’s no way to reclaim access to the files by simply removing the trojan.

When a PC picks up the new trojan, it goes to work by creating two encryption keys based on the PC’s ID. It also spawns a new instance of ctfmon.exe or svchost.exe and injects its own code there. This allows it to run in the background more stealthily. The first of the encryption keys is used to encrypt communications with the command and control server. The second key is the one causing all the heartache.

The second key is encrypted by the first, and sent to the command and control server for safekeeping. The server then determines which files should be locked up. It goes after images, documents, and some executables, using the second key to encrypt them. In this case, the scary warning that pops up is not making idle threats — those files aren’t coming back without the key.

The goal here is not to cripple a computer, so the Windows files are left intact. However, the malware does block regedit, task manager, and msconfig. Since the malware controller has the encryption keys, he or she could technically remove the file encryption if the fee is paid. That’s far from a guarantee, though.


Tags: , , ,

Leave a Reply

You must be logged in to post a comment.