New ransom trojan is taking your money

This post is also available in: Slovenian




These days we can read in media really panic news over big new virus Transomcrypt, but it’s just new variant of already known virus for three years so called ransom trojan who locks the documents on the disk and you have to pay some money to solve the problem.

If you have an unsecured computer (unfortunately there are many of them), 50 € actually is not so much to return yours documents. Some unfortunately still do not take seriously warnings about security. There is not panic for those who are diligent and have arranged a backup of their documents and those who have protected their computer with antivirus and antispyware apps.

 How does it work?

Viruses scans all the folders on your hard drive and encrypt any office documents, images, archive files (rar, zip, 7z …) and even links. Each file is added the extension . EnCiPnErEd  at the end. In each folder is waiting a »friendly« message with not so good news about how to get rid of decryption and access own files again for only 50 €. By paying you get the code to unlock the files. If you try to guess the code, you’re limited with only 5 entries, after than you lose your data for ever.


Because virus can best be removed and unlock files with good Russian antivirus firm dr. Web app, we can certainly conclude that it’s a virus originated in Russia.

Dr. Web offers a special app te94decrypt.exe to decrypt, but unfortunately it’s not 100%, its possible some files are only partially successful decrypted, which means those files are lost forever. In addiction note, that this is a new variant of yet known trojan virus encoder.94 . 2, 3 years ago had been circulating in Russia and other former soviet republics, but interesting it did not spread beyond these borders.

This new variant is adapted for »foreign market« as the instructions for decrypting are just English translation of original Russian message. Ransomcrypt virus first began spreading in Germany, Spain, Italy, England, Poland, Austria, Bulgaria and Norway on 9th and 10th April 2012, then began to spread even further, now also in Slovenia.

Trend Micro

Trend Micro also reported a month ago on the proliferation of various ransomware programs outside of Russia, expanded mostly in USA, Germany, France, Australia, Italy and Taiwan.

In England it was even a ransom trojan variant which is fake represented as the Metropolitan Police blocking porn content and they have to pay a small amount of the penalty to unblock content.

UPDATE:

Different versions of virus needs different parameters like -42, -85, -11, -55, -91, -88 when using dr. Web apps te94decrypt.exe. It all depend on what new extension do you have at the end of file, so please check on web before using it.

Saša

Works as system engineer in Slovenian Enterprise in Microsoft environment focusing on security, deployments, SharePoint, SCCM and CheckPoint firewall. Author of successful blog about IT security, Microsoft tips & tricks, social media, internet trends.

Leave a Reply