Ransom Trojan horse demands money with menaces

April 28, 2006 Sophos Press Release

Trojan horse. Image copyright (c) Sophos
The Trojan horse holds data hostage until a ransom is paid.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned users about a Trojan horse that prevents victims from accessing their computer data and asks for ransom to be paid via Western Union.

The Troj/Ransom-A Trojan horse threatens to delete one file belonging to the innocent user every 30 minutes, until the $10.99 ransom demand is fulfilled.

Upon activation the Trojan horse displays some pornographic images, as well as the following message:

listen up muthafucka
is this computer valuable. it better not be. is this a business computer. it better not be. do you keep important company records or files on this computer. you'd better hope not. because there are files scattered all over it tucked away in invisible hidden folders undetectable by antivirus sofware the only way to remove them and this message is by a CIDN number

The Trojan horse continues to explain that a "CIDN number" can be acquired by making a payment via Western Union to the hacker. Once the number has been entered, the Trojan promises to remove itself and restore access to the stolen files.

"This Trojan horse is designed to take your data hostage, and tries to scare users into paying up quickly by threatening to wipe files one-by-one. Our concern is that this may be the beginning of a growing trend of malware designed to extort money from innocent users," said Graham Cluley, senior technology consultant for Sophos. "Ransomware like this underlines the importance for every computer user to make regular backups of their important data, and to defend their computers with up-to-date security software."

Sophos experts note that the Trojan horse circumvents attempts to remove it from infected computers once it has activated. If the affected user presses Ctrl-Alt-Del in an attempt to stop the Trojan horse running, another message is displayed:

Yeah, We don't die, We multiply! Ctrl+Alt+Del isn't quite working today, is it? I'm not the sharpest tool in the shed but Crtl+Alt+Del is everyone's S.O.S.

"Curiously, the malware author doesn't appear to have a lot of confidence in his Trojan horse working properly as he suggests victims contact him at a Yahoo email address if they have a problem uninstalling the Trojan once they have paid up," continued Cluley.

In March, Sophos reported on a Trojan horse that encrypted victim's data, and demanded $300 for the password to unlock the information. Sophos experts analysed the malware and published the password, foiling the villain's plans.

Companies are recommended to protect their email with a consolidated solution to thwart the virus, spyware and spam threats and secure their desktops and servers with automatically updated anti-virus protection.