Fake calls about computer infection
May 16, 2011
Wireless routers unsecured and broadcasting
May 16, 2011

Trojan demands $300 in exchange for decryption

Virus hunters have discovered a new Trojan that encrypts files on an infected computer and then demands $300 in ransom for a decryption password.

The Trojan, identified as Cryzip, uses a commercial zip library to store the victims documents inside a password-protected zip file and leaves step-by-step instructions on how to pay the ransom to retrieve the files.

According to a LURHQ advisory, Cryzip searches an infected hard drive for a wide range of widely used file types, including Word, Excel, PDF and JPG images.

A new directory named “AUTO_ZIP_REPORT.TXT” is created with specific instructions on how to use the E-Gold online currency and payment system to send ransom payments.

The instructions, which are marked by misspellings and poor grammar, contain the following text: “Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enought password. You can not guess the password for your archived files – password lenght is more then 10 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).”

The owner of the infected machine is warned not to search for the program that encrypted the data, claiming that it simply doesnt exist on the hard drive.

“If you really care about documents and information in encrypted files you can pay using electonic currency $300,” the note says. “Reporting to police about a case will not help you, they do not know password. Reporting somewhere about our E-Gold account will not help you to restore files. This is your only way to get yours files back.”

Trojan encrypts files then demands $300 for decryption password

Another variant is;

The computer boots to a DOS screen that says

Your PC is blocked.
All the hard drives were encrypted.
Browse www. safe-data. ru to get an access to your system and files.
Any attempt to restore the drives using other way will lead to inevitable data loss.
Please remember: Your ID: 773923
with its help your sign-on password will be generated.
Enter password:

On visiting the website it asks that you pay USD 100 to decrypt my hard drives and any other methods will result in complete data loss.

Protect your valuable data with regular backups and daily virus scans. Remember, clicking can be bad for your computer health.