|The Arhiveus Trojan horse holds data hostage from infected users.|
Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned users about a Trojan horse that encrypts victims' computer data, and then attempts to force users into making a purchase from an online pharmacy.
The Troj/Arhiveus-A Trojan horse (also known as MayAlert) scoops up files in innocent users' "My Documents" folder and creates a file called EncryptedFiles.als.
When users try to access their files they are directed to a file containing instructions on how to recover the data. The instructions begin:
INSTRUCTIONS HOW TO GET YOUR FILES BACK
READ CAREFULLY. IF YOU DO NOT UNDERSTAND - READ AGAIN.
This is the automated report generated by auto archiving software.
Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.
You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).
Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.
To retrieve their files (which may include personal photographs, letters, household budgets and other content), users must enter a 30 character password -which, they are told, is only available after they make purchases from one of three online drug stores.
Files cannot be accessed until the correct password is entered.
"Internet hackers are getting bolder in their attempts to steal money from innocent web users. Once your valuable data is locked away you may be tempted to pay up to rescue your files, but this will only encourage more blackmail attempts in the future. Companies who have made regular backups may be able to recover easily, but less diligent home users may feel forced to cough up the cash," said Graham Cluley, senior technology consultant for Sophos. "Today, most of the viruses and Trojan horses we see are being written with the intention of making money and we wouldn't be surprised to see much more ransomware being written in the future. Attacks are becoming more organized and more malicious, and every computer needs to be properly defended with up-to-date anti-virus software, firewalls and operating system patches."
Sophos experts who have analysed the Trojan horse have determined the password used to encrypt users' data.
"The password is deliberately long and complicated in an attempt by the hackers to avoid people easily cracking it. Experts at Sophos have disassembled the Arhiveus Trojan and determined that the password is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw," continued Cluley. "So there should be no reason for anyone hit by this ransomware attack to have to make any payments to the criminals behind it."
Sophos notes that this is not the first example of ransomware. In March 2006, the Zippo Trojan horse demanded $300 for the safe return of users' encrypted data. The following month the Ransom-A Trojan horse threatened to delete stolen files one-by-one until a ransom was paid.
Companies are recommended to protect their email with a consolidated solution to thwart the virus, spyware and spam threats and secure their desktops and servers with automatically updated anti-virus protection.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.