Ransomware nearly doubles in six months – ESET Ireland

17 Oct 2013

Trojans that encrypt files and try to extort a ransom from their user in exchange for a decryptor utility have nearly doubled from January to July 2013, according to antivirus and security software solutions provider ESET Ireland.

ESET detections of this malware category are usually flagged as Win32/Filecoder or Win32/Gpcode, and ESET LiveGrid telemetry reveals the weekly number of Win32/Filecoder detections have risen by more than 200pc since July 2013 from the average numbers in January through June 2013.

Cyber-criminals using the Filecoder ransomware use various methods to get the malware onto victims’ systems:

  • Through drive-by downloads from malware-laden websites
  • Through e-mail attachments
  • Installation by another trojan-downloader or back door
  • Manual installation by the attacker through remote (RDP) infiltration
  • Other common infection vectors

A Filecoder family that has been spreading via RDP also uses scareware tactics, and introduces itself as an ‘Anti-Child Porn Spam Protection’ message or as being from the ACCDFISA (Anti Cyber Crime Department of Federal Internet Security Agency) – no such agency exists.

The latest type of ransomware is more ‘dangerous’ than the widespread ‘police’-ransomware category, according to ESET Ireland, as it also encrypts the victim’s files – usually pictures, documents, music and archives. The files with the following extensions are targeted: .odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .jpg, .jpe, img_.jpg, .dng, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .crt, .pem, .pfx, .p12, .p7b, .p7c.

A version of this trojan is notable because of the amount of money it seeks from victims. While other samples in this malware category usually request around €100-€200, Win32/Filecoder.NAC has extorted up to €3,000. The higher amount reflects the fact the attacker tries to target businesses that can usually afford to pay higher ransoms than individuals, ESET Ireland said.

Another recent variant, Win32/Filecoder.BQ, tries to pressure victims by displaying a countdown timer showing how long it will be before the encryption key is permanently deleted. Victims are also given the option to pay the ransom with Bitcoins, along with usual ransomware payment methods like MoneyPak, or Ukash.

Computer users can protect themselves from such ransomware by being cautious, keeping anti-virus and all software up to date, and password-protecting anti-malware software’s settings, ESET Ireland said. “But in this case, most importantly: back up regularly! You could lose your files for good if you don’t have them backed up.”

Digital lock image via Shutterstock

Tina Costanza was a journalist and sub-editor at Silicon Republic