Wednesday, April 25, 2012

Windows Malware - Ransomware: Pay me to boot your computer.

Trend Micro has released some information on a new group of bookit malware that is part of a hybrid attack on users computers. The infection vector could be any an unpatched Windows, Flash, Java, Acrobat or other vulnerability.  Once infected, the malware will download multiple different types of malware (such as a Fake Antivirus program) including the ransomware.   Once executed, the ransom malware will infect the Master Boot Record (MBR) of the system Hard Drive.   While this is not unusual these days (the TDSS/Aleuron family uses this technique), this new malware will display a message on boot (most likely non-English) asking for money to get an encryption key to allow the computer to continue to boot into Windows.

This type of infection (MBR) is highly difficult to resolve remotely, and usually requires "offline" manual cleanup utilizing specialized boot-disks and sometimes even the original Windows install media.  Should you run into this type of infection, be aware you are going to have at least 1 day of downtime in order to get the system cleaned.

Bitdefender & F-secure have posted information on a different type of ransomware that encrypts your files then changes the extensions (.doc, .pdf, etc.) to CRYPTED! thereby making it difficult to run programs or open documents.  This ransomware right now has been seen targeting users of peer-to-peer file sharing services, but could begin spreading through email via SPAM bots as well.



No comments: