Some of you probably remember this article where I described the huge increase of attacks seen in some countries by malware that was posing as different law enforcement agencies. This kind of malware is called “Police Virus” due to this, and its main purpose (as usual with malware) is to steal money from the users. And to do that it tries to scare users (that’s why this kind of malware is sometimes called “scareware”)
During the last months, these attacks have evolved. As posing as the police was not enough, they started using ransomware tactics, encrypting files from the computer and “forcing” to pay the fine in order to recover access to those files. Basically they took this functionality from PGPCoder, a trojan designed to encrypt files, which were only decrypted once you paid a ransom to the cybercriminals behind it.
The first versions of this new police virus were only encrypting .doc files, and the encryption was not really hard, so it was possible to decrypt them without having the key. However these cybercriminals realized they had made a mistake and created a new version. This time the encryption was using a more advanced technique, so in order to decrypt the file the key is needed. Not only that, but the key is different for every computer that has been infected, so unless anyone can access to the server where the keys are stored there is no way to recover those files. And they are not just encrypting .doc files anymore: some variants have a list of extensions of files to encrypt; some others have just an exclusion list to avoid encrypting any critical system file, and they encrypt everything else.
How much further can they go? At the end of the day what these cybercriminals need is to scare the users as much as possible to have them paying this ransom (“fine”). Last week we came across yet another variant, which oddly was activating the webcam of the computer. What for? They have modified the typical warning page they were using before:
For a new one that includes a frame with the image taken by the webcam:
As you can see there is a frame where the stream of the webcam is shown, and a caption that says “Video recording”. However it is not recording any video, nor sending it anywhere, it is just showing the image taken by the webcam. But of course the user doesn’t know this, and most of them will be really scared and will pay asap to get rid of this. This one does not have the encryption feature, they must have thought that the webcam use is scary enough.
6 comments
“…key is different for every computer that has been infected…”
what about a brute force attack of encrypted files?
if you run this malware in lab few time, and see what password is send to server, i think is possible to make a pattern of passwords used:
ex:
length: 8-12
chars: a-z, 0-9, no special char, no caps look, etc.