[Nick]

New "drive-by" virus on the Internet carries fake threat and fine -purportedly from the FBI.

From www.FBI.gov:

Citadel Malware Continues to Deliver Reveton Ransomware in Attempts to Extort Money

08/07/12-The IC3 has been made aware of a new Citadel malware platform used to deliver ransomware named Reveton. The ransomware lures the victim to a drive-by download website, at which time the ransomware is installed on the user's computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States federal law. The message further declares the user's IP address has been identified by the Federal Bureau of Investigation as visiting websites that feature child pornography and other illegal content.

To unlock the computer, the user is instructed to pay a fine to the U.S. Department of Justice using a prepaid money card service. The geographic location of the user's IP address determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud.

This is an attempt to extort money with the additional possibility of the victim's computer being used to participate in online bank fraud. If you have received this or something similar, do not follow payment instructions. Infected computers may not operate normally. If your computer is infected, you may need to contact a local computer expert for assistance to remove the malware.

It is suggested that you:

■File a complaint at www.IC3.gov.
■Seek out a local computer expert to assist with removing the malware.

Image of fake FBI notice here

 

[dpeters11]

It looks like this uses things like the BlackHole exploit pack. Of course this just adds to the need to keep things up to date. Windows patches, Java, Acrobat and Flash etc etc.

Secunia has a nifty program called PSI, which looks at all the programs on a system and identifies the ones that are out of date. It really helps keep up on security updates.

 

[AntAltMike]

Once installed, the computer freezes and a screen is displayed warning the user they have violated United States federal law. The message further declares the user's IP address has been identified by the Federal Bureau of Investigation as visiting websites that feature child pornography and other illegal content.

Aw, shucks, my computer screens have been displaying warnings like that for years. They even use the same language that's been on the arrest warrants.

 

[billsharpe]

The clue here is "ransomware lures the victim to a site."

The lockup is not automatic.

People need to pay attention.

Thanks for the warning, though...

 

[SayWhat?]

An operation to break up a ransomware network estimated to be worth one million euros a year has been successful.

European police agency Europol says that Spanish police, working alongside the European Cybercrime Centre (EC3), have broken up a gang which allegedly ran a ransomware scheme which demanded money from online users in 30 countries.

http://www.zdnet.com/ransomware-cybercrime-gang-broken-by-spanish-police-7000011302/

 

[dpeters11]

Not saying that these shouldn't be prosecuted, but of course someone else just pops up. From watching the Tech Guy a weekend or two ago, people were still getting hit with this type of thing very recently.

 

[SayWhat?]

No doubt the bots are still active some where.

They'll have to kill those and distribute the unlock keys so people can clean their machines.

 

[ghontz1]

Boot up in safe mode and use system restore. Worked for me after one of my nephews somehow caused my PC. to become infected. Make sure to run malwarebytes and scan for viruses after you do system restore to make sure it's gone for good.

 

[wingrider01]

Not saying that these shouldn't be prosecuted, but of course someone else just pops up. From watching the Tech Guy a weekend or two ago, people were still getting hit with this type of thing very recently.

why prosecute - I here that tehre are plenty of open suites at GTMO

 

[wilbur_the_goose]

They're becoming more sophisticated. New variants encrypt the victim's hard drive and you don't get the encryption key without payment.

Booting into safe mode won't do squat for this attack vector.

 

[houskamp]

fdisk always works

 

[wingrider01]

fdisk always works

move all user profiles, public profiles off the c drive to another drive, image the boot drive then if anything happens pull the drive and put a new one in, then restore the image.

 

[Marlin Guy]

I've seen them change attributes and make the files hidden, but I have not seen a single one that encrypted the users' data.

Show me

 

[dpeters11]

Here's an article from Sophos, though they say only the first 10% of the files were encrypted in this case.

http://nakedsecurity.sophos.com/2010/11/26/drive-by-ransomware-attack-demands-120/

Older Krebs column
http://voices.washingtonpost.com/securityfix/2008/06/ransomware_encrypts_victim_fil.html

But if Wilbur_The_Goose says they are becoming more sophisticated, then that's cause for concern.

 

[Marlin Guy]

First article is 3 years old and the second one is 5 years old. :nono:

Ransomware attacks are prevalent and some are sophisticated, but the vast majority of them simply try to trick the user into paying a fee to remove viruses that were never there to begin with.

I've been cleaning them up for years, and I've never seen one from which I couldn't retrieve the customer's files.

 

[SayWhat?]

An unusual new strain of ransomware makes good on its threat, doing what the majority of other varieties only claim to do. The Trojan actually encrypts data on infected machines, effectively rendering certain files inaccessible to users on compromised computers in order to block removal.

According to the report, upon execution, the malware randomly spawns either ctfmon.exe or svchost.exe and injects its own code there. The injected system process then reportedly executes a copy from the %TEMP% folder, creating ctfmon.exe or svchost.exe child processes with the injected code, which is apparently where things take a turn for the interesting.

First the malware generates a unique computer ID, then it uses that ID and the fixed string "QQasd123zxc" to produce an encryption key with crypto API functions like "advapi32!CryptHashData" and "advapi32!CryptDeriveKey" so that the attacker can create the same key each time he uses that string. Now the malware sends requests with the computer ID back to its command and control server, encrypting its communications on the server with the first key and allowing the Trojan to decrypt them on the infected computers.

Next, a second key is created using "advapi32!CryptGenKey." Blinka explains that this function will create a random key each time it is used and cannot be recreated (unlike the first). From here, an RSA 2 blob is exported from the second key and encrypted by the first before being encoded by base64 and send back to the C&C server, paired in the attackers database with the computer ID.

Lastly, the list of files that the malware wants to encrypt is determined, and they are encrypted by "advapi32!CryptEncrypt" using the second key before the well-known ransom note shows up on a victim's locked screen.

http://threatpost.com/en_us/blogs/new-ransomware-encrypts-victim-data-013013

 

[SayWhat?]

Some of the newer versions 'lock' the computer by encrypting key parts of the operating system and making it unusable. But, continued Corrons, "As some antivirus could break the encryption and release the files, the criminals changed to a more sophisticated technique using server-based encryption; and the only way to decrypt files in this state is to get the key from the criminals. So even if you remove the infection, you have still lost all your information."

http://www.infosecurity-magazine.com/view/30443/ransomware-threat-on-the-increase/

Also see: http://blogs.avg.com/news-threats/attention-data-hardrive-encrypted/

 

[dpeters11]

First article is 3 years old and the second one is 5 years old. :nono:

Ransomware attacks are prevalent and some are sophisticated, but the vast majority of them simply try to trick the user into paying a fee to remove viruses that were never there to begin with.

I've been cleaning them up for years, and I've never seen one from which I couldn't retrieve the customer's files.

Ok, agreed those are a few years old, but does show that the issue did exist then, and there is no evidence that they don't do it anymore. It might be more targeted, in a spearfishing attack.

 

[wilbur_the_goose]

Encryption Ransomware:
"Pay up or we'll notify the police!

Variants of this malware are infecting computers in Europe and they are devilishly sophisticated. They encrypt all the files on the hard drive. This prevents the owner from accessing them until the ransom is paid to get the decryption key.

"The bad guys have improved the nastiness of this attack," said Chester Wisniewski, a senior security advisor at SophosLabs. "They basically steal all of your documents and lock them in a vault. And only they have the key."

From http://www.nbcnews.com/business/latest-ransomware-attacks-are-scarily-sophisticated-969766
-----------
Obviously, there's no "vault". They attackers are the only ones with an encryption key.

Earlier variants used symmetric encryption, which is relatively easy to break. These use asymmetric encryption, which uses a public/private keypair. These are a helluva lot more difficult to break - actually impossible using the technology that most of us can get our hands on

 

[dpeters11]

Looks like today's "Security Now" podcast with Leo Laporte and Steve Gibson is one where they talk to Brian Krebs, and partially deals with ransom ware. Krebs has been able to infiltrate this underground.