Ransomware... Holding Corporate America Ransom!
Posted by: Jacques Erasmus
This is a new iteration of a rather persistent favourite we see a lot, the filename in question is called "NTOS.EXE" Which we detect generically as Win32.PSWSteal.Gen, entirely preventing the threat of stolen data and infection.
When the file is executed on the machine, it encrypts all documents, pictures, datafiles and more on the machine, and leaves this message:
"Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA). You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300. To buy our software please contact us at: tristanniglam@gmail.com and provide us your personal code -xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system. If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data -- Glamorous team."
At the time of writing there are 6317 records in the stat.txt file below, used to track how many people are infected, with their ip numbers. The picture below illustrates a graphic view of the dumpsite containing the harvested data.
Here are the latest Virustotal Detections for it:
Now for the really interesting part. Translating the logfiles on the server to meaningful data was quite easy, here is the moneyshot.
All the above corporations IP's appear in the stats and there is tagged datafiles with these ip's on the dropsite - shocking.
While writing this, and looking at the Virustotal stats, one message sits clear with me. If these stats indicate that these companies have been attacked and they are running any of the products by the vendors that didn't detect it, do they even know they are infected? This could put them at significant risk.
And, if they don't know they are infected - how will they protect their customer data once its been leaked?
After a brief crack at decrypting the data, the results are staggering. For example in the case of the infection at the US Dept of Transportation, there is over 500KB of stolen information. We think thats a lot, and the level of detail.. well.
These hosts are high profile companies that spend a significant amount of money every year on security, and these threats still seem to be able to penetrate their defences,
its worthwhile to add that this particular threat is not very sophisticated against some things we see nowadays.
SecureSciences did an excellent write-up November last year of an older variant of this threat, which can be found here.
More to follow, including a decryptor, so if you are about to fork out $300 to some shady character, just hang on...
** UPDATE ** By Marco Giuliani
As Jacques wrote during the weekend, we've had a number of reports about a new ransomware trojan that encrypts files on the user's hard disk. It isn't really a new trojan instead it's a variant of an old password stealer trojan we already saw in the last couple of months. The latest build has a new ransomware feature built into it.
After a lively weekend spent on this malware, we've reversed it and, unlike claims done by malware writers though the readme file, it doesn't use RSA 4096 bit algorithm but a simpler one.
Prevx is the first to provide full disinfection and decryption for this malware that infected thousands of computer around the world.
Moreover, the trojan steals username's and passwords from user's online transactions, then store them in a encrypted file and uploads them to a remote server. Malware writers can then decode the files and steal your credentials.
We've decoded this algorithm too, but no decryption tool will be released for it because of privacy concerns. Anyway, we are working together with the FBI to get the server shut down and to track down the authors.
So, instead of paying 300$ to buy the decryption software from the malware writer, you can now save that money and buy something worthwhile!
-- Marco
11 comments so far
- SIRIUS on 17/07/2007 12:10:14
- David on 17/07/2007 16:08:34
- Bill Revett on 17/07/2007 19:27:07
- Jim Mautino on 20/07/2007 17:18:59
- Alex on 12/08/2008 14:17:25
- Robert on 17/09/2008 11:38:46
- Angellaa on 24/02/2009 06:33:02
In your list of detections showing results of various antivirus programs... your comments to why Prevx & F-Secure is not shown?
I don't have the file "NTOS.EXE" on my computer.... I plan on still running that program to try and decode my files but will not having the file ntos.exe mean your decoder will not work???
Also once I run your program what happens? Do I need to select anything or direct it anywhere or does it workl automatically?
Lastly all the files on my external hard drive were encrypted too, will I need to run that program on my external harddrive or if I run it on my C drive will it search out my external and fix those files too?
Thanks,
I was infected with this ransomware on 7/10. For the past week I was trying to recover what I could, but ended up making things worse. This Prevx removal tool was a lifesaver! It decrypted 728 pages of encrypted photos and files. Many thanks!!
I had a friend get this and I ran your file and it fixed all his pics and other encrypted files EXCEPT the Outlook .pst file. It is still saying that it is not a personal file when I open outlook 2003. Is there something I am overlooking? Also, the PST file is just slightly over one gig. Thanks for your help!
I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you down the road!
Excellent site, added to favorites!!
Hmm, very cognitive post.
Is this theme good unough for the Digg?
Which versions of NT based operating systems does your unransomme.exe removal tool run? Thanks.