Subscribe

Malware extorts ransom in Bitcoins

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 28 Jan 2015

Security solutions provider, ESET has discovered a piece of malware that extorts ransom in Bitcoins for the retrieval of information that it would have encrypted.

The company says last week it received multiple reports of malware-spreading campaigns in various countries mostly in Latin America and Eastern Europe.

A fake e-mail purporting to contain a fax is, in fact, nothing more than a campaign to spread malicious code, and the ultimate goal is to encrypt their victims' files and then to extort a ransom in Bitcoins or retrieval of the encrypted information, says ESET.

The malware - CTB-Locker Ransomware - has caused headaches for thousands of users, with Poland, Czech Republic and Mexico the most affected countries, the vendor says.

According to ESET, the attack begins with a fake e-mail arriving in a user's inbox. The subject of the e-mail suggests the attachment is a fax; the file is detected by ESET as Win32/TrojanDownloader.Elenoocka.A.

File encryption

Carey van Vlaanderen, CEO of ESET Southern Africa, says if one opens this attachment and their anti-virus software does not protect them, a variant of Win32/FileCoder.DA will be downloaded to their system; all the files will be encrypted and users will lose them forever unless they pay a ransom in Bitcoins to retrieve the information.

"Files with extensions such as MP4, .pem, .jpg, .doc, and .cer are encrypted by a key, which makes it virtually impossible to recover the files. Once the malware has finished encrypting user information, it displays a warning and also changes the desktop background with a message demanding the ransom," she says.

Van Vlaanderen warns even though there have not been reported cases in Africa, the region is not safe from the threat. "It only takes one user to ignore standard security safe browsing practices to infect a network."

She explains cyber criminals are attracted to the Bitcoin because of its rise in value and it's easier to steal than real money. She adds the Bitcoin is also simpler to trade with other criminal elements. Cyber criminals have also made use of the ease with which Bitcoins can be traded without any third party - such as a bank or online payments service like PayPal - to use it as at least one way of paying for services between themselves, says Van Vlaanderen.

Another peculiar detail of CTB-Locker is not only is the message shown to the user in different languages, but it also displays the currency appropriate to that language, says ESET. If the user chooses to view the message in English, the price is in US dollars, otherwise the value will be in euros, it adds.

Fellow security solutions vendor, Symantec, says ransomware as a whole saw a marked decline last year. However, it says the amount of crypto-ransomware seen continues to comprise a larger portion of ransomware.

Candid Wueest, security response expert at Symantec, says there are varied reasons attackers are demanding ransom in Bitcoins.

"One of the reasons might be that it is easier to get Bitcoins compared to the prepaid voucher money. It is also easier for the attacker to transfer and spend the Bitcoins afterwards as many underground forums have started to accept Bitcoins as payments."

Don't pay ransom

Nonetheless, Wueest urges organisations not to pay the ransom but to plan ahead and have a backup ready.

While it is true the encryption technique used by CTB-Lockermakes it impossible to recover files by analysing the payload, there are certain safety measures recommended for users, says ESET.

"If you have a security solution for mail servers, enable filtering by extension. This will help by allowing you to block malicious files with extensions such as .scr, as used by the malware," says Van Vlaanderen.

"Avoid opening attachments in e-mails of dubious origins where the sender has not been identified. Delete e-mails or mark them as spam to prevent other users or company employees being affected by these threats. Keep security solutions updated to detect the latest threats that are spreading. Perform up-to-date backups of your information."

She notes mitigating such attacks is no simple task, and users need to take a proactive stance by supporting security technology with awareness and education.

Share