Data may be recovered, Shadow Volume Copies are not deleted

Apr 20, 2015 14:50 GMT  ·  By

A new piece of crypto-malware called Threat Finder has been circulating since the beginning of the year, distributed via Angler exploit kit (EK) to users relying on outdated versions of plug-ins in their web browsers.

Information about the ransomware emerged in late January, when a user reported that Threat Finder was able to encrypt his data, bypassing detection of antivirus products he had installed.

Ransomware delivered by Bedep malware

Rackspace security researcher Brad Duncan found a sample of the malware and analyzed the method of infection and the ensuing effects.

He says that the host was infected during what is commonly known as a drive-by attack. While navigating to a compromised website, a vulnerable plug-in in the browser was exploited by Angler EK, which downloaded and installed Bedep, a payload often used for ad-fraud activity, as well as for funneling in other malware.

It appears that in the case investigated by Duncan, Bedep downloaded and installed Threat Finder on the victim’s machine and also initiated click-fraud actions.

“About the time Threat Finder displayed the decrypt instructions, we saw click fraud traffic from the infected host. Click fraud traffic generates ad revenue through numerous requests for web traffic from the infected host,” the researcher said.

Locked data may be recoverable

As soon as Threat Finder is deployed on a system, it starts encrypting file types that are important to the user. According to a report from Bleeping Computer, the list includes text documents, media files (image, video) and database formats.

They also say that the malicious encryption process does not alter the name of the file and the only hint that it has been tampered with is the associated program’s inability to display the content.

After the data is locked, Threat Finder shows the ransom message and asks for 1.25 bitcoins (about $300 / €260) in exchange for the decryption key.

However, researchers say that the encryption process does not delete Shadow Volume Copies, which would make possible the recovery of the affected data with the Windows Previous Versions feature or via a program that can access the safe copies.

Nevertheless, the best protection against this sort of threat is keeping an updated backup file in a safe place that has limited or no interaction with the main computer.

Ransom message displayed by Threat Finder
Ransom message displayed by Threat Finder

Photo Gallery (2 Images)

Threat Finder decryption instructions
Ransom message displayed by Threat Finder
Open gallery