14 DAY TRIAL // UPDATE: The decryption process by pressing the "Pay" button does not work anymore in the most recent versions of the TrueCrypter ransomware. The initial article that contains information about how TrueCrypter remains below, unmodified.
AVG malware analyst Jakub Kroustek came across a new ransomware variant that appears to be under development and currently allows victims to decrypt their files just by pressing a button.
This new threat calls itself TrueCrypter, and as its name hints, is a crypto-ransomware variant that after infecting computers, searches for files with a specific extension and encrypts them using a dual AES-256 and RSA-2048 encryption mechanism, also used by many other ransomware families.
TrueCrypter targets 194 different file types, and the infection method is currently unknown. The good news is that at the time of writing, the ransomware had a detection rate of 27/56 on VirusTotal.
After infecting a user and encrypting his files, TrueCrypter then shows the ransom note in the form of a popup window.
TrueCrypter asks for payment in Bitcoin or Amazon gift cards
The ransomware author asks for 0.2 Bitcoin (~$90) or $115 in the form of Amazon gift cards. This is the second ransomware discovered this week that uses this non-conventional payment method, after Blue Coat Labs researchers previously discovered the Cyber.Police ransomware targeting Android mobile devices via a unique infection method.
Cyber.Police didn't ask for Amazon gift cards, but for iTunes gift cards. In terms of ransom payment method, using gift cards is a dangerous practice because if used incorrectly, it can leave a trace back to the malware author.
As for infected victims, the good news is that the ransomware seems to have an implementation issue. Users that want to decrypt their files should check out the bottom right corner of the popup for a button with an arrow pointing to the right.
Pressing this button opens the payment screen, where there will be another button in the bottom right that says "Pay." Mr. Kroustek discovered that pressing this button, in the current versions of TrueCrypter, starts the file decryption process.
