NEWS FROM THE LAB - Friday, January 8, 2010

Ransomware - Buy Back Your Own Files Posted by Alia @ 02:08 GMT

We haven't seen ransomware for a while, so a recent scheme that mixed elements of modern rogueware pushing and old-school ransomware attempts was rather interesting.

The preliminary work is done by a program we detect as Trojan:W32/DatCrypt, which makes it look as if certain files — mostly Microsoft Office documents, video, music and image files — on the infected system had been "corrupted":

Trojan.W32.Datcrypt, Notice

Actually, the files have been encrypted by DatCrypt.

Next, the trojan advises the user to download and execute the "recommended file repair software":

Trojan.W32.Datcrypt, Message

Which we detect as Rogue:W32/DatDoc.

If the utility is downloaded and executed, the luckless user finds that it can "only repair one file in unregistered version":

Rogue.W32.Datdoc, Decryption

To repair — or more accurately, decrypt — anything more, the user has to buy the product.

Think about this from the users point of view. "Oh my god I've lost my important files!" "Thank god I found this great product that recovered them perfectly for just $89.95" "I'm going to recommend Data Doctor to all my friends". Effectively, user is forced to pay a ransom for his own files and the user doesn't even realize he's paying a ransom.

This scheme works on the assumption that the user wants the affected files badly enough to be willing to pay to recover them — and that the user hasn't prudently saved copies of these files elsewhere. The attack would probably lose its bite if the user could just say, "oh well…", delete the "corrupted" files and retrieved the backups.

So this would be a good time to remind everyone to backup their important files regularly, either onto removable media like CDs, DVDs or USB thumb drives, or online resources such as our Online Backup.

Because having to pay someone to get back a copy of your homework, or tomorrow's presentation, or your mom's favorite recipe, is just… annoying.

Many thanks to Adam Thomas from Sunbelt for providing samples of the dropper, and Chang for the initial analysis.