Press Releases

Browse our press release archive

15 Mar 2006

Zippo Trojan horse demands $300 ransom for victims' encrypted data

Sophos experts reveal password used in criminal attack is disguised as a directory path

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned users about a Trojan horse that encrypts victims' computer data, and then attempts to extort a $300 ransom.

The Troj/Zippo-A Trojan horse (also known as CryZip) searches for files on innocent users's computers such as Word documents, databases and spreadsheets, and moves them into password-encrypted ZIP files. It then creates another file informing the affected user on how they need to pay $300 to an E-Gold account to recover their data.

The ransom demand left by the Zippo Trojan horse

Part of the ransom demand left by the Zippo Trojan horse.

"The Zippo Trojan horse is bold as brass, scooping up your valuable data and locking it away until you agree to pay the ransom to the criminals who have "kidnapped" your files. Companies who have made regular backups may be able to recover easily, but less diligent businesses may be in a quandary about whether to cough up the cash," said Graham Cluley, senior technology consultant for Sophos. "In the old days malware was typically written by teenagers who wanted to show off to their mates. Now most of the viruses and Trojan horses we see are being written with the intention of making money from innocent internet users. The attacks are becoming more organized and more malicious, and every computer needs to be properly defended."

Sophos experts who have analysed the Trojan horse have determined the password used to encrypt users' data.

"Experts at Sophos have disassembled the Zippo Trojan and determined that the password it uses to encrypt data is C:\Program Files\Microsoft Visual Studio\VC98," continued Cluley. "So there should be no need for anyone unfortunate enough to have suffered from this ransomware attack to have to pay the reward to the criminals behind it. It looks like this password was deliberately chosen by the Trojan's author in an attempt to fool analysts into thinking it was a directory path instead."

Companies are recommended to protect their email with a consolidated solution to thwart the virus, spyware and spam threats and secure their desktops and servers with automatically updated anti-virus protection.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.