Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New ransomware/encrypting infection in the wild


  • Please log in to reply
6 replies to this topic

#1 Zeromus-X

Zeromus-X

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 30 November 2010 - 10:19 AM

http://www.securelist.com/en/blog/333/GpCode_like_Ransomware_Is_Back

Now, GpCode is back and it is stronger than before. Unlike the previous variants, it doesn't delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.

Preliminary analysis showed that RSA-1024 and AES-256 are used as crypto-algorithms. The malware encrypts only part of the file, starting from the first byte.


I've got one system here with this infection that I posted about on the Spyware forums with no luck/replies so far. Interestingly, though, my infection doesn't open a Notepad file, it appears to have overwritten the boot sector of the hard drive, but appears to have come out at the same time as this one. I don't know if it's a variant or something that hasn't been found in the labs yet. If you're interested, there's a thread on the "Am I Infected" forum.

Edited by Zeromus-X, 30 November 2010 - 10:22 AM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:40 PM

Posted 30 November 2010 - 02:15 PM

And Now, an MBR Ransomware

Posted Image

http://www.securelist.com/en/blog/208188032/And_Now_an_MBR_Ransomware

cXfZ4wS.png


#3 Barajiqal

Barajiqal

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:40 AM

Posted 30 November 2010 - 03:24 PM

When will people stop doing these sort of things. Pretty lame, but thanks for the heads up for this one I don't need any more headaches then I already have.

-Bar
"I am Become Death, Destroyer of Worlds" - (Verse 32 Chapter 11 of the Bhagavad Gita) Robert J Oppenheimer

"Any Man Who Has a Habit and Cannot Bear to Share it Should not Have the Habit at All" - Misqoute From Rolland of Gillead in the Stephen King Series The Dark Tower

#4 Romeo29

Romeo29

    Learning To Bleep


  • BC Advisor
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:40 AM

Posted 30 November 2010 - 03:51 PM

One more lesson to learn not to use your computer with the Administrator level account.
Use only Standard account for everyday use. Use Administrator account only when necessary.

#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:40 PM

Posted 30 November 2010 - 05:31 PM

One more lesson to learn not to use your computer with the Administrator level account.
Use only Standard account for everyday use. Use Administrator account only when necessary.



I agree, but this is not applicable for SpyEye. :)

SpyEye is able to install itself and perfectly run from limited accounts. Yes, it could still steal sensitive data from the browser, even if run with limited privileges.
I hear a lot of people claiming they don't need a security software because they use a Windows limited account: they could be already a victim of SpyEye actually.


Anyway any user with a reasonable knowledge of computing should only be laughing at this.
Just back up your data on a regular basis. Personally I use Macrium Reflect Free Edition
No need to dish out 120$ to get back your precious data that way.


Regards,
Georgi :wink:

cXfZ4wS.png


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:40 AM

Posted 30 November 2010 - 09:39 PM

Malicious hackers are spreading the ransomware, which encrypts media and Office files on victim's computers, in an attempt to extort $120. In a nutshell - you can't access your files because the malicious code has encrypted them (in our observations, the whole file isn't encrypted - just the first 10% or so), and the hackers want you to pay the ransom if you want your valuable data back.

Drive-by ransomware attack demands $120

Ransomware Trojan is back and badder than ever
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:40 AM

Posted 01 December 2010 - 10:06 AM

Kaspersky Lab experts are working on an in-depth analysis of the recent Trojan and will update you on every discovery that may assist with data recovery.

If you think you are infected, we recommend that you do not change anything on your system as it may prevent potential data recovery if we find a solution. It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days - we haven't seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart.

Securelist Blog

I have been looking around this morning but have not seen any updates.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users