May 24, 2005 11:16 AM PDT

Miscreants encrypt files, hold them for ransom

In a new type of online attack, extortionists remotely encrypt user files and then demand money for the key to decode the information.

In a case documented by San Diego-based Web security company Websense, the attack occurs after a user visits a Web site containing code that exploits a known flaw in Microsoft's Internet Explorer Web browser. The flaw is used to download and run a malicious program that in turn downloads an application that encrypts files on the victim's PC and mapped network drives, according to Websense. The program then drops a ransom note.

Even though this type of attack is not widespread at this point, Internet users should be aware of the threat, said Oliver Friedrichs, a senior manager at Symantec Security Response. "It is certainly concerning. This is the first time that we have seen cryptography used in this type of attack to hold your information hostage," he said.

"I would see this as the equivalent of somebody coming into your house, putting your valuables in a safe and not telling you the combination," Friedrichs said.

Researchers at Symantec have seen the malicious program used in the ransom attack. The "Trojan.Pgpcoder" searches a victim's hard disk drive for 15 common file types, including images and Microsoft Office file types. It then encrypts the files, removes the originals and drops a note asking $200 for the encryption key, Friedrichs said.

A Websense customer fell victim to the attack. Luckily, in this case the encryption wasn't very sophisticated and Websense was able to decode the customer's files, said Dan Hubbard, senior director of security and research at Websense. "In this case we could help, but every variant can be different," he said.

Attackers could use e-mail, a Web site, or other means to distribute the Trojan.Pgpcoder and launch a widespread extortion campaign, Symantec's Friedrichs said.

Websense, however, doesn't see a trend yet. Attackers leave a trail if they ask for money, Hubbard said: "This type of attack is not that difficult to perform. However, in order to collect money the attackers are leaving themselves open to investigation and tracing."

For protection, users should run security software and make sure that their software is patched, Websense and Symantec said. The Internet Explorer flaw exploited to attack the user in the Websense case was patched in July last year.

The Websense customer was victimized two weeks ago. The Web sites involved in the attack have since been taken down.

16 comments

Join the conversation!
Add your comment
Does this affect Macs?
... I didn't think so. Thanks.
Posted by (57 comments )
Reply Link Flag
Hey Man
Buy a Dell Dude. Whooaoaoaoaoao geeee ahhhhhhh Dude!
Posted by Andrew J Glina (1673 comments )
Link Flag
Another reason NOT to use IE
This is the true drive by attack.
Posted by wazzledoozle (288 comments )
Reply Link Flag
The obvious solution
It is odd that the article doesn't even mention the most obvious
solution to this problem: BACKUP ALL IMPORTANT FILES.
Preferrably to a removable media like CD-R or DVD-R. Then when
the file is hosed (by mistake or maliciously) you can just grab the
backup and laugh at the intruders.

Oh, and death penalty for Trojan/Virus writers may help curb some
of the little creeps as well.
Posted by (38 comments )
Reply Link Flag
That is not a solution
It is a workaround.

Sure, you can get back your data easily if you do this( and everyone should, no matter what software they use), but it does not solve the problem.

A solution is to just don't use IE.
Posted by pcLoadLetter (395 comments )
Link Flag
Miscreants_Encrypt_Files - Earlier Experience
I encountered such an encryption attack at my law office several years ago, in which different files on the same hard drives and floppy disks were encrypted with diferent programs. That time, we discovered that, on the same hard and floppy diesk, certain files had been converted from WordPerfect 5.1 (DOS) to WordStar 4, Navy DIF, and other programs for which we had no software. This did involve an old-fashioned burglary, though the local police insisted it had not and that this had resulted from a power surge!

We later learned who had done this, and recovered some paper files he had also stolen, after the statute of limitations had run. He had been recommended highly to us by lawyers, a judge, and a university department head, etc. His father found and returned some stolen hard copies of documents, as well as finding the newsletter addressed and mailed to the culprit by a national organization of child molesters. Two credible people have identified him as the perpetrator of sex crimes against them, but, in the local legal environment, wouldn't report it.. He has two college degrees and may now be practicing law somewhere but I have not found him on line yet. I will provide his name to anyone with a legitimate investigative need.

PETER S. CHAMBVERLAIN
1309 Hunt Street
Commerce, Texas 75428-2916
peterschamberlain@earthlink.net
(903)886-2323
CELL: (903)366-6926
Posted by Transaction7 (30 comments )
Reply Link Flag
HA HA
I laugh when something happens to someone's 'critical files', the first question I ask is: 'Did you have it backed up?'

99% of the time in a non-corprate enviornment the answer is: 'Back up?' 'How was I supposed to do that?'

90% of the people I ask in a corporate enviornment say 'No', even though they have mapped network drives to personal space on a server that is backed up nightly. On a side note those same users have absolutely nothing on thier network drives.... everything is saved under my documents.....LOL

I do not feel sorry for anyone that is affected by these sorts of attacks, because if you'd had anti-virus with updated definitions and used the microsoft firewall, you'd be protected.

And to all those of you who would say 'Microsoft sucks! I never get attacked':

Well Microsoft is the big guy on top of the hill and everyone wants to take him down so they can be 'king of the hill', what they fail to realise is that as soon as someone else takes over that spot, they will become the primary target for attack. Lots of people proudly walked around saying I don't have problems now because I use FireFox....I think a virus about a week later shut those people up. Every piece of software is going to have a vulnerability reguardless if it's open source or proprietary.

I'm more in love with Microsoft than my own wife! Microsoft has provided me with the tools and knowledge I need to be successfull in this crazy world we live in. My wife just nags about her allowance and other mindless drama that wives talk about while I'm out bringing home the bacon so to speak.
Posted by (20 comments )
Reply Link Flag
Another "half-of-the-story" story
Which flaw in IE? Is there a patch for the flaw that the victim has failed to install?

These are questions that should be answered in the story but lazy reporters obviously don't care.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
There is a patch...
According to the article, it does mention that there is a patch for the IE flaw avaialble. It doesn't specifically say which one, but it was a critical one that should be installed.
Posted by TMB333 (115 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.