BleepingComputer.com: Ransomware Attack

I just got in a PC in for repair with a Ransomware attack

Specs XP/SP3, running AVG 9

all files (doc, xls, txt, bmp, jpg etc) have been renamed and apparently encrypted
found on the desktop a txt file which demands $120 be sent to decrypt

renamed files all end in .ENCODED

RKILL finds nothing
Malwarebytes runs for 10 seconds and then exits in both regular and safe mode.

found on the desktop is a file (HOW TO DECRYPT FILES.txt) containing the following:

Attention!!!
All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.
There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.
We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.
For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): datafinder@fastmail.fm

This post has been edited by DrPCfix: 30 November 2010 - 08:49 PM

Sorry to report but this appears to be a new variant of the GpCode-like Ransomware. Sophas has named it Troj/Ransom-U and Kaspersky has named it Trojan-Ransom.Win32.GpCode.ax. Kaspersky also advises the chances of getting your data back are very low as the malware is using RSA-1024 and AES-256 crypto-algorithms. You can read more about the infection here.

It was just reported yesterday so security vendors are still trying to determine what approach to take. Kaspersky says they will keep posting more information as they continue their investigation.

Do you have a link to the Kaspersky posting? Any idea how this or any PC can get infected by this virus? Are any of the current AV vendors able to catch it before it does harm? I've visited multiple AV sites and have found no mention of it yet.

Potentially, millions of PC users could lose their data to this virus.

Quote

Securelist Blog

Quote

Securelist Threat Level

Quote

Sophos news report

Sophos: Troj/Ransom-U
Trojan-Ransom.Win32.Gpcode.ax

I have been looking around this morning but have not seen any updates.

So, I opened a chat session with Norton - the claimed gods of internet security -- read the chat and then tell me how confident you all are about using their product?

Symantec LiveAssist Chat

Connected Status Analyst Anjith is here to assist you.

Issue: Ransom.Win32.GpCode.ax

Aneesh(Thu Dec 02 2010 06:53:32 GMT-0500 (Eastern Standard Time))>

Are you connected from the computer which has this particular issue?


drpcfix(Thu Dec 02 2010 09:53:50 GMT-0500 (Eastern Standard Time))>

no, computer has been trashed by virus, all files have been encrypted


Aneesh(Thu Dec 02 2010 06:58:22 GMT-0500 (Eastern Standard Time))>

Are you able to connect to any websites from the infected computer like Google or MSN?


drpcfix(Thu Dec 02 2010 09:59:19 GMT-0500 (Eastern Standard Time))>

no, computer does not boot. i took out hard drive and all files have been renamed with an extension of .ENCODED. On the desktop is a ransom letter


drpcfix(Thu Dec 02 2010 10:03:26 GMT-0500 (Eastern Standard Time))>

has norton added a definition for this virus?


Aneesh(Thu Dec 02 2010 07:04:14 GMT-0500 (Eastern Standard Time))>

As I understand from your issue description, your computer is infected with Ransom.Win32.GpCode.ax.Is that correct ?


drpcfix(Thu Dec 02 2010 10:04:24 GMT-0500 (Eastern Standard Time))>

yes


Aneesh(Thu Dec 02 2010 07:06:13 GMT-0500 (Eastern Standard Time))>

Henry, since you are not able to boot your computer I would suggest you to contact a local technician for further assistance.


drpcfix(Thu Dec 02 2010 10:07:58 GMT-0500 (Eastern Standard Time))>

i took the computer to a local tech who said that the pc needed to have windows reloaded and that all my files are lost. however before i do this i need to know that norton will protect me so that this will not happen again, so does norton protect?


Aneesh(Thu Dec 02 2010 07:10:21 GMT-0500 (Eastern Standard Time))>

Yes Henry.


Aneesh(Thu Dec 02 2010 07:10:22 GMT-0500 (Eastern Standard Time))>

Is there anything else I can help you with?


drpcfix(Thu Dec 02 2010 10:11:43 GMT-0500 (Eastern Standard Time))>

can you give me a link to somewhere on the norton website that backs up your claim that this virus has been added? i've searched the site and can not find it


Aneesh(Thu Dec 02 2010 07:12:09 GMT-0500 (Eastern Standard Time))>

You are currently experiencing a product related issue.This is supported by the Technical Support Team.


I can connect this chat session to the Technical Support Team directly. May I do so?
You can also connect to them by visiting http://www.symantec.com/supportoptions


drpcfix(Thu Dec 02 2010 10:12:23 GMT-0500 (Eastern Standard Time))>

y


Aneesh(Thu Dec 02 2010 07:12:43 GMT-0500 (Eastern Standard Time))>

I will now transfer this session to the Technical Support Team, who will assist you further with this issue.

Please note that, you can also connect to them directly by visiting http://www.symantec.com/supportoptions


It has been pleasure working with you, thank you for using Norton; have a great day.

Please wait while I connect you to the Technical Support Team. This normally takes between 2 to 5 minutes.


Aneesh(Thu Dec 02 2010 07:12:47 GMT-0500 (Eastern Standard Time))>

Please wait, while the issue is escalated to another analyst.


Anjith has entered room.


Anjith(Thu Dec 02 2010 07:12:54 GMT-0500 (Eastern Standard Time))>

Welcome to Norton Support, my name is Anjith Raju. Can I please have a minute to go through the information you have provided?


Aneesh has left room.


Anjith(Thu Dec 02 2010 07:14:13 GMT-0500 (Eastern Standard Time))>

Hi drpcfix, may I know what is the exact issue?


drpcfix(Thu Dec 02 2010 10:15:51 GMT-0500 (Eastern Standard Time))>

pc got a virus, from my searching the internet its called Ransom.Win32.GpCode.ax. it appears that all files on my drive are encrypted beyond repair. i will reinstall xp, but before i do so, i want to know that norton has added this virus to their db so that i dont get it again


drpcfix(Thu Dec 02 2010 10:16:30 GMT-0500 (Eastern Standard Time))>

its a new variant that came out somewhere around 11/25/2010, there were similar but less evil versions since 2004


Anjith(Thu Dec 02 2010 07:16:44 GMT-0500 (Eastern Standard Time))>

drpcfix, I have note down the Virus name.


Anjith(Thu Dec 02 2010 07:17:05 GMT-0500 (Eastern Standard Time))>

That Virus definition will be added Norton server,


Anjith(Thu Dec 02 2010 07:17:18 GMT-0500 (Eastern Standard Time))>

So that this Virus will not affect any PC any more,


drpcfix(Thu Dec 02 2010 10:17:29 GMT-0500 (Eastern Standard Time))>

when will it be added?


Anjith(Thu Dec 02 2010 07:18:30 GMT-0500 (Eastern Standard Time))>

Beofre updating our technicians need to investigate about this VIrus.


Anjith(Thu Dec 02 2010 07:18:44 GMT-0500 (Eastern Standard Time))>

So it will take 2 weeks to update.


drpcfix(Thu Dec 02 2010 10:19:22 GMT-0500 (Eastern Standard Time))>

how will the public be notified to this happening?


Anjith(Thu Dec 02 2010 07:20:07 GMT-0500 (Eastern Standard Time))>

That will update through Live Update

The Norton Tech says it will be added but then they advise before updating their technicians need to investigate further, then he says it will take two weeks. Sounds like he's not sure so he is giving you a two week span, probably hoping the issue will be resolved by then.

I doubt you were speaking to a researcher as the answers appear to be more generic than specific. I suspect Norton is in the same boat as every other security vendor...still investigating and still trying to determine how to handle the infection.

Well I don't know about the rest of you, but this virus scares the pants off of me. We all know that most users have pitiful backups and if this virus becomes prevalent they will quickly tire of the need to keep reinstalling windows each time they get infected.

Interestingly enough, none of the AV vendors seem to be saying anything about this virus. I'm guessing that they only like to toot their horns after they have figured it out.

After all, no sense advising users to be extra diligent with backups if you can't help them anyways.

Quote

Appears that way as I have been looking around...not much since the initial warning reports.

Has their been any update to this spyware as yet? I also have this infection on one my clients computers.

At the end of November in a Starbucks one day I was online when a Java applet quickly kicked on and off, a PDF notice appeared and I got a BSOD. Would not boot after just a flashing cursor. Had Win 7 at the time. Had to reinstall OS and put on Vista with latest SP and copied back some files I had rescued from a DOS prompt file save after the initial crash.

Today same Starbucks. Online I know where, academic site in one tab and my online vita in another. I had reinstalled Java yesterday. All of a sudden I got a Java dialogue box open then close then a PDF with a .ru extension asked to download since they must prompt for me. I said no then saw my desktop had the ransom pic text. My icons were changed and files given the .ENCODED extension. I deleted the file it asked me to read without reading it. McAfee popped up a window saying it cleaned four files but on a scan it found 11. Ad Aware hanged and would not run. Task manager showed the rogue executable which I stopped and deleted. Hope that helps.

The sooner you stop and delete the executable from Task Manager it seems the sooner it stops encoding. Does just encode beginning of file but PDFs are rendered useless with Adobe.