- Jan 24, 2011
- 9,379
Symantec has learned of a new crypto ransomware threat (Trojan.Cryptolocker.S) that is infecting computers in Australia. The malware encrypts images, videos, documents, and more on the compromised computer and demands up to AU$1,000 (US$791) to decrypt these files. On analysis, we discovered that the theme used in this attack was styled around the now infamous TV show Breaking Bad.
The malware authors cooked up their ransom demand message using the ‘Los Pollos Hermanos’ branding image found in the show. Along with this, part of the email address used in the extortion demand is based on a quote by the show’s protagonist Walter White, who declared "I am the one who knocks."
Figure 1. Trojan.Cryptolocker.S ransom demand
We believe that the crypto ransomware uses social engineering techniques as a means of infecting victims. The malware arrives through a malicious zip archive, which uses the name of a major courier firm in its file name. This zip archive contains a malicious file called ‘PENALTY.VBS’ (VBS.Downloader.Trojan) which when executed, downloads the crypto ransomware onto the victim’s computer. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file.
Based on our initial analysis, the threat appears to be using components or similar techniques to an open-source penetration-testing project, which uses Microsoft PowerShell modules. This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware.
The malware encrypts files using a random Advanced Encryption Standard (AES) key. This key is then encrypted with an RSA public key so that victims can only decrypt their files by obtaining the private key from the attackers.
The crypto ransomware targets files with the following extensions for encryption:
Figure 2. Trojan.Cryptolocker.S ransom payment page
Read more: http://www.symantec.com/connect/blo...-pollos-hermanos-crypto-ransomware-found-wild
The malware authors cooked up their ransom demand message using the ‘Los Pollos Hermanos’ branding image found in the show. Along with this, part of the email address used in the extortion demand is based on a quote by the show’s protagonist Walter White, who declared "I am the one who knocks."
Figure 1. Trojan.Cryptolocker.S ransom demand
We believe that the crypto ransomware uses social engineering techniques as a means of infecting victims. The malware arrives through a malicious zip archive, which uses the name of a major courier firm in its file name. This zip archive contains a malicious file called ‘PENALTY.VBS’ (VBS.Downloader.Trojan) which when executed, downloads the crypto ransomware onto the victim’s computer. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file.
Based on our initial analysis, the threat appears to be using components or similar techniques to an open-source penetration-testing project, which uses Microsoft PowerShell modules. This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware.
The malware encrypts files using a random Advanced Encryption Standard (AES) key. This key is then encrypted with an RSA public key so that victims can only decrypt their files by obtaining the private key from the attackers.
The crypto ransomware targets files with the following extensions for encryption:
- .ai
- .crt, .csv
- .db, .doc, .docm, .docx, .dotx
- .gif
- .jpeg, .jpg
- .lnk
- .mp3, .msi
- .ods, .one, .ost
- .p12, .pdf, .pem, .pps, .ppsx, .ppt, .pptx, .psd, .pst, .pub
- .rar, .raw, .rtf
- .tif, .txt
- .vsdx
- .wma
- .xls, .xlsm, .xlsx, .xml
- .zip
Figure 2. Trojan.Cryptolocker.S ransom payment page
Read more: http://www.symantec.com/connect/blo...-pollos-hermanos-crypto-ransomware-found-wild
