Latest 'ransomware' attacks are scarily sophisticated
By Herb Weisbaum
Imagine having all of your computer files -- including taxes and other important data -- kidnapped and held for ransom. It's happening more and more. Internet criminals are now targeting U.S. computers with online extortion attacks.
"Ransomware" is not new, but the latest version -- named Reveton -- is more sophisticated than most of this malicious software.
The Reveton Trojan instantly locks the infected computer. Then it displays a message on the screen that looks like it's from the FBI. The bogus message says the user violated federal law by downloading child pornography or illegally using or distributing copyrighted music or video.
To unlock the machine, the user is told to pay a "fine" via a prepaid money card, online payment service or wire transfer.
The Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center, reports being "inundated" with complaints about the Reveton ransomware.
"We are getting dozens of complaints every day," IC3's Donna Gregory wrote in a scam alert posted on the FBI website. "Some people have actually paid the so-called fine."
A victim who was instructed to pay a $200 fine told IC3: "The page said if the demands were not met, criminal charges would be filed and my computer would remain locked on that screen."
Keep in mind: The FBI does not ask people for money and never sends unsolicited email.
The feds issued a warning about Reveton in May. Since that time, this malware has become more widespread in both the U.S. and internationally. And it's getting more aggressive.
Some versions can turn on the hijacked computer's webcam and show the victim's picture on the frozen screen. Others take the extortion threat to a whole new level.
Pay up or we'll notify the police!
Variants of this malware are infecting computers in Europe and they are devilishly sophisticated. They encrypt all the files on the hard drive. This prevents the owner from accessing them until the ransom is paid to get the decryption key.
"The bad guys have improved the nastiness of this attack," said Chester Wisniewski, a senior security advisor at SophosLabs. "They basically steal all of your documents and lock them in a vault. And only they have the key."
Sophos detected the Troj/Ransom-HC variant in July. It demands $3,000 Euros (about $3,800 in U.S. dollars) to unlock the encrypted data. The encryption is so strong, Wisniewski told me, there's virtually no way for the average PC user to crack it.
"All malware is bad, but it's disturbing that they are able to do this," he said.
The bold extortion message displayed on the screen gives the victim 96 hours to pay up. "Otherwise," it says, "we will send report to the police with special password to decrypt some files which contains (sic) spam software and child pornography files."
"This is pretty scary stuff, said security expert Brian Krebs. "The majority of people who get hit with it would be in a spot because they aren't serious about backing-up their computer."
Expect to see more ransomware -- because online extortion is lucrative. On his security blog, Krebs wrote about income data he obtained for one criminal group that uses Reveton. It shows they made $54,000 in a single day.
"People react to the threat and pay the money," Krebs told me. "The response should be to shut it down, think about it and have a computer repair person look at it."
The Reveton Trojan is delivered by a "drive-by" download. Just visit a compromised website and malware is injected onto your computer without any action on your part. This is why good security software is a must. Set your machine to do this automatically.
But even the best protection won't stop all malware attacks.
If your computer gets infected with this new ransomware, it may difficult or impossible to open your files. That's why it's so important to constantly back-up your data. You need to be prepared for a disaster like this because you may not get a second chance.
The Internet Crime Complaint Center advises victims of a ransomware extortion attempt not to pay any money or provide any personal information.
Remember: Even if you are able to unfreeze your computer on your own, the malware may still operate in the background, capturing account numbers, passwords and other personal information.
Your best bet is to take a compromised computer to a professional to have the malware removed.