You recall that CryptoLocker locks up users’ machines, encrypts the files, then demands a payment to unlock the encrypted files. Even if the actual malware is removed, the data remains unavailable.
“There’s mostly no way to get the data back without paying the ransom and that’s the reason why bad guys focus on this scheme as it generates huge profit, “ said Jiri Sejtko, Director of AVAST Software’s Virus Lab Operations.
There is new evidence that another more insidious version of ransomware could be coming. Underground hacker forums have seen advertisements for a new DIY ransomware tool-kit dubbed Prison Locker or PowerLocker available, along with convenient tutorials, for a $100 license fee. A blog post on Malware Must Die, an online crime fighting group, gives the details.
It’s not surprising that scared people are the most vulnerable to attacker’s traps, and there is no reason to think it will work differently with computer users. Using this psychology, cybercrooks show an unaware victim an alert page claiming to have found that banned pornography was viewed or stored on their computer. The message goes on to say their computer is blocked, all their data is encrypted, and they will be sent to court in 48 hours unless they pay a fine. This is basically how ‘Ransomware’ works – scare tactics with a convenient way to buy yourself out of the predicament at the end.
When we look closer at the scam, we find that the Ransomware is focused only on the victim’s browser and fortunately, not as they claim, on the data stored inside the victim’s computer. Here are several points that work together to scare the victim:
- The headline of the webpage: “FBI. ATTENTION! Your browser has been blocked…”. This is the part of the attack that tries to scare visitors as much as possible.
- The name of the page, “gov.cybercrimescenter.com”, tries to convince visitors they are on a legitimate website which belongs to the government.
- A countdown timer starts on 48 hours and counts down the time before “legal steps” starts.
These points try to rush panicked victims into paying the requested money as soon as possible without time to think. But it’s better to take a deep breath before reacting. You know you didn’t watch the movies mentioned on the page, and of course, you didn’t store illegal files. Do you really think that upon identifying a child pornographer, that the government will tell them to pay a small amount of money as a fine and let them go?
In our blog, we wrote several times about various types of Ransomware, most recently about CryptoLocker. In most cases, ransomware has pretended to be a program installed into a victim’s computer by the police. Because of some alleged suspicious activities found on the user’s computer, ransomware blocks the user from using the computer and demands a ransom to unlock the machine or files.
Different ransomware families have different graphics and skins, usually showing intimidating images of handcuffs, logos of various government and law enforcement organizations, policemen performing inspections, government officials, etc… You can read some of our previous analyses on our blog – Reveton, Lyposit, Urausy – are the most prolific examples of such ransomware.
In this blog post, we will look at the functionally of the same type of ransomware, but one which displays more annoying and disturbing photos. After showing the message saying, “Your computer has been suspended on the grounds of viewing illegal content,” accompanied with the current IP address, name of internet service provider (ISP) and the geographical location, it displays several pictures of child pornography!
Question of the week: I have read frightening stories about CryptoLocker locking computers. I don’t have $200 to pay blackmailers for my own files. How do I protect myself from getting attacked? Does avast! protect from CryptoLocker?
“Avast! Antivirus detects all known variants of CryptoLocker thanks to our automated processing and CommunityIQ,” said Pavel Sramek, researcher and analyst for the avast! Virus Lab. “There are less than a dozen; this doesn’t seem to be a case of rapidly mutating malware.”
What is CryptoLocker?
CryptoLocker is malware known as “ransomware” that encrypts files on a victim’s Windows-based PC. This includes pictures, movie and music files, documents, and certain files on local or networked storage media. A ransom, paid via Bitcoin or MoneyPak, is demanded as payment to receive a key that unlocks the encrypted files. The victim has 72 hours to pay about $200; after that the ransom rises to over $2,200.
How to get CryptoLocker?
The CryptoLocker virus is often attached as an executable file disguised as a PDF attachment to an official-looking “spoofed” email message which claims to come from banks, UPS or FedEx claiming to be a tracking notification. When someone opens the email, they are asked to download a Zip file that contains an executable file (.exe) that unleashes the virus. There is also evidence that CryptoLocker started with infections from the ZeuS or Zbot banking Trojan and is being circulated via botnets to download and install CryptoLocker.
How to protect your computer from CryptoLocker?
AVAST users should be safe from infection during the short period when the malware is new and “undetected” as long as AutoSandbox and DeepScreen are active. “The infection is prevented by means of a dynamic detection,” said Sramek.
“We also automatically add detections for each new sample that passes our backend filters,” said Jiri Sejtko, Sramek’s colleague in the avast! Virus Lab.
“Against future threats like this, having a backup is always a good idea – who knows when CryptoLocker v2.0 will be released, and every antivirus solution is reactive by nature,” said Sramek. “The encryption used is virtually unbreakable, there is zero chance of recovering files after infection.”
Avast! BackUp is an online backup and recovery service that allows you to select sets of data or individual files you want to back up. Try avast! BackUp free for 30 days; after that you can choose a subscription based on your storage needs.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
Question of the week: I just read your blog post about the Reveton virus. My computer was locked and held for ransom by something similar. I finally got it fixed and downloaded avast! 2014. How can I prevent that from happening again?
We’re sorry to read that you experienced “ransomware” firsthand. While this type of malware has not been very common, it has proven to be effective, so its incidence is on the rise. There are variations on ransomware, but all are designed to frighten or shame the victim into paying a fee to have their computer returned to normal operation. One variation uses a popup to say a virus has been detected on your computer and you have to pay to get it removed. The FBI MoneyPak Virus threatened American users with prosecution because child pornography was allegedly found on the machine. German users got hit by a similar attack recently. A hefty fine of about $300 could make it right again (or not).
Ransomware has been found all over the world, but cybercrooks are making it scarier by targeting it locally. So if you live in Hawaii (first of all, lucky you), you may receive something that looks like this. It looks pretty serious, and can spook users into thinking something is very wrong.
What do you do if your computer is attacked?
Ransomware has been reported by consumers, but it’s also been found in business environments. If you receive something like this on your work computer, please notify your IT specialists. They will need to take action to protect the network, and investigate how the attack occurred. Remember, do not do anything the on-screen message instructs you to do – never share data and do not pay any so-called fines.
If you find yourself infected with malware, it’s a major headache with many lost hours and sometimes irreparable damage. With this in mind, you can use avast! Rescue Disk, included in all avast! 2014 products, to create an image of your avast! installation. This image can be saved either on a USB, CD or DVD. That way if anything nasty happens to the PC, you will have the disk image ready to clean and restore your PC to normal function. The avast! Rescue Disk is built on Windows PE (pre-installation environment) which allows you to boot a PC even when there is no functioning Operating System. The Rescue Disk function is an integral part of the new remediation module introduced by the new 2014 version.
Here are complete instructions for Creating and using avast! Rescue Disk.
For those of you who are more visual, here’s a video ‘How-to’ from AVAST Evangelist, Bob G.
It has been more than a year, since we last time reported about Reveton lock screen family. The group behind this ransomware is still very active and supplies new versions of their ransomware regularly.