Data with popular file extensions is held hostage

May 12, 2015 07:52 GMT  ·  By

Cybercriminals have demonstrated their creativity once more by releasing a new ransomware with file encrypting capabilities that delivers the ransom message in style, employing the logo for “Los Pollos Hermanos,” from the TV show “Breaking Bad.”

The malware has been spotted in Australia, and despite the nice visual touch, it is as focused on the business as Walter White was, encrypting the data on the infected computer and demanding a payment of 450AUD ($357 / €318) initially.

Failure to deliver the money in a timeframe specified by the attackers leads to increasing the fee for unlocking the files to 1,000AUD ($790 / €710).

Decoy PDF is downloaded and executed

Security researchers from Symantec say that the malware, detected as Trojan.Cryptolocker.S by the company’s products, relies on the AES algorithm to lock the data and then uses strong, public-key encryption (RSA) to protect the symmetric key, with the private key remaining in the possession of the cybercriminals.

The infection chain begins with a fraudulent email that purports to be from a major package delivery firm, with a malicious attachment masquerading as an innocuous PDF file which is in fact a VBScript (Penalty.VBS) with instructions to download the malware and an Adobe document.

On execution, the PDF is displayed to the victim, to remove suspicion of nefarious activity, while the ransomware is installed in the background.

“Based on our initial analysis, the threat [the malware downloader] appears to be using components or similar techniques to an open-source penetration-testing project, which uses Microsoft PowerShell modules. This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware,” Symantec says.

Backups remain the best form of protection against ransomware

As for the files affected by the encryption process, the list includes popular file types for images, documents and audio data.

Payment of the ransom fee is demanded in digital currency bitcoins, and clear instructions are offered for the non-technical victims to be able to purchase and deliver them.

The recommendation from security experts is not to give in to the crooks’ demands and protect data by keeping the antivirus software updated, but more importantly, by creating backups for the most important data and storing them in a safe place, with access restrictions to the main machine or completely disconnected from it.

Breaking Bad-themed ransom message
Breaking Bad-themed ransom message

Photo Gallery (2 Images)

Ransom message with the “Los Pollos Hermanos” logo
Breaking Bad-themed ransom message
Open gallery