Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Cybercrooks developing dangerous new file-encrypting ransomware, researchers warn

Lucian Constantin | Jan. 7, 2014
The new threat might be even more difficult to remove than CryptoLocker, which plagued users in recent months.

It then uses the functionality in Windows to create a secondary desktop and displays the ransom message there. The malware checks every few milliseconds to see whether the new desktop is the active one and prevents users from switching away from it, making the Alt+Tab keyboard shortcut and applications running on the primary desktop irrelevant.

The malware is also capable of detecting whether it's run in virtual machines, sandboxes or debugging environments, a feature designed to prevent security researchers from analyzing it using their usual tools.

The advertised malware program, if real, definitely adds extra layers of sophistication to a family of threats that's already difficult to combat, said Bogdan Botezatu, a senior e-threat analyst at antivirus firm Bitdefender, Monday via email. "From the malware's description, it looks like its creator has blended CryptoLocker with the FBI ransomware [ransomware impersonating the FBI and other law enforcement agencies] to create a two-layer lock: the desktop lock and the file encryption."

Another important difference between CryptoLocker and PowerLocker is that the new threat is supposed to be sold as a crimepack to other cybercriminals.

"While CryptoLocker was tailor-made for a select group of individuals, the PowerLocker as they call it is a tool that would be available for purchase, thus making any script-kiddie a potential attacker," he said. "If it is real, we expect it to hit really hard."

According to the underground forum messages shared by MMD, the PowerLocker author has partnered with another developer to create the malware's command-and-control panel and the graphical user interface and is very close to completing them. The developers plan to sell the malware for US$100 in Bitcoins per initial build and $25 per rebuild, which is a very accessible price for cybercriminals.

"Besides the fact that this is a crimepack, it also adds extra features such as locking the user outside of the box, thus taking the machine out of production completely," Botezatu said. If it goes viral, it could cause serious problems to mission critical systems like hospital computers, he said.

Botezatu expects other similar malware programs to be developed and used this year.

"Trojans like GPcode have set the standard for commercial ransomware, while the ROI [return on investment] rates of the FBI Trojan and CryptoLocker have probably incentivized other cybercriminal groups into joining the ransomware pack," he said. "Ransomware is easy money and that's what cybercriminals are after."

Most malware today is distributed through exploits for vulnerabilities in popular software programs like Java, Flash Player and others, so it is very important to keep all applications up-to-date to prevent infection with ransomware and other threats.

Backing up important data regularly is essential to recovering files in case of infection if users are to avoid paying money to cybercriminals. However, backups should not be stored on the same computer or on network shares to which the computer has write access, because the malware could damage the backups as well.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.