14 DAY TRIAL // New variants of a piece of malware that holds computers for ransom until the victim sends an SMS to a premium rate phone number, have been spotted on the black market. Security researchers have cracked the algorithm used by the ransomware to verify the unlock codes used to release control of the affected computers.
Back in May, independent security consultant Dancho Danchev reported that a new type of ransomware was available for sale on underground websites. Once installed on a Windows computer, this rogue application, which masquerades as an anti-piracy feature, locks access to the system and displays a warning message in Russian instead of the desktop.
"Your copy of Windows has been blocked! You're using an unlicensed version of it! In order to continue using it, you must receive the unlock key. All you have to do is follow these steps: You must send a SMS message. You will receive an activation code once you do so. Enter the code and unlock your copy of Windows," the fake alert reads.
Danchev, who has kept track of this threat, warns that it has reached version six and has seen many improvements since its original release. The latest variant can spread through removable media devices, is compatible with Windows 7 and offers the ability for multiple phone numbers to be used as backup.
Other features include the ability to bypass the "Safe Mode," customize the displayed message, lock down the taskbar and use of special keyboard shortcuts, schedule payload and execute at system reboot. Typically, upon inputting the unlock code, the ransomware would uninstall itself and make changes to the system to prevent re-infection.
Security researchers from CA also analyzed this malware and cracked the mechanisms used to check the unlock codes. Using their findings, they were able to devise a method of producing valid codes that would release control of the infected computers.
The algorithm seems to be rudimentary and only requires that the code is seven-digit long, with the last one being the sum of the first two. For example, a valid unlock code would be 4512349, as 4+5 = 9. The four digits in between don't really matter and can be anything.