Your browser is obsolete!

The page may not load correctly.

Encrypt everything

Закодировать всё

Other issues in this category (24)
  • add to favourites
    Add to Bookmarks

Virus makers aren't responsible for your corrupted files

Read: 21787 Comments: 2 Rating: 22

Friday, April 14, 2017

Sometimes it seems like the world has turned upside down. Lately, positive reviews (even from some IT security experts) have been appearing on the World Wide Web about services launched by criminals who distribute encryption ransomware. They praise the helpful support, flexible rates, the opportunity to test how well their corrupted files can be decrypted, etc. Given that few corrupted files are actually recoverable, feedback of this kind will help users sleep soundly and with a clear conscience refuse to spend anything extra on anti-virus software, user education, or employee training. After all, the ransom amount (as they say) is quite reasonable and the probability of an infection occurring is far from 100%, so it's easier to pay once and relax.

The problem is that few attackers are competent enough to encrypt files and be able to recover them later. And not all of them can (and want) to invest into high-quality support. Moreover, why go to such lengths if users are willing to pay anyway?

Android.Locker.420.origin (under the Dr.Web classification) doesn't have a data recovery feature. According to Zscaler experts, who analysed the ransomware's source code, they haven't found any functions that are responsible for transaction verifications or sending short messages. This means that fraud victims can't unlock their mobile devices and recover their data even if they pay the ransom.

Interestingly, the criminals don’t just make ransom demands—they also try to blackmail users.

Once their malware is installed in a system, it will stand by for four hours and then start displaying pop-ups requesting administrative privileges. Even if a user closes the notification, it will reappear until the user complies. After that the malware locks the device's screen and displays a message informing the user that their data has been encrypted and in order to recover it, they need to pay a 500 rouble ransom. It also threatens the user that if they refuse to pay, the malware will send a compromising short message to all of their contacts.

The experts stress the fact that this new ransomware uses features that enable it to avoid detection by anti-viruses. "Thanks to good code obfuscation and the use of Java Reflection, the ransomware can evade anti-viruses. In addition, the four-hour idle period enables it to avoid detection by anti-viruses that rely upon dynamic analysis".

#Trojan.Encoder #Trojan #encryption_ransomware #extortion

The Anti-virus Times recommends

It's simple: devices that run Dr.Web are protected from this threat. And those who are happy to pay can try their luck with data recovery. According to our statistics, the probability of success is no more than 10%.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.