Tuesday, December 01, 2009

New Ransomware Blocks Internet Access, Demands Money

Ransomware is nothing new, we've all seen Windows trojans resorting to a little blackmail, and locking up a users PC waiting for them to spend money on fake anti-virus that turns out to be more malicious than the original infect. Today however has to be the first I've ever heard of a piece of Ransomware that blocks a users internet access flat out demanding a ransom before it will return control.

Computer Associates' Internet Security Business Unit, first discovered the new trojan bundled with software named uFast Download Manager. Once downloaded the software was installed along side the uFast download manager without informing the user. The trojan then goes to work blocking internet access until the user enters an activation code. This activation code is obtained by sending an SMS containing a particular number to an expensive premium rate phone number – CA does not mention the sum involved.

The malware, dubbed 'Win32/RansomSMS.AH', appears to be Russian in nature, as it uses a Russian language GUI. The ransom page translates to state:

Internet access is blocked due to violation of the
license agreement schedules of uFast Download Manager
You must activate your copy

Get a registration code by sending an SMS with the following
code fw0004199 to number ****

In response you will receive an activation message.

Enter the activation message received from the SMS response ________

CA withheld the details of the amount involved in sending the SMS to the premium rate phone service however past ransomware programs demanded upwards of $50-60 for removal. This time around CA ISBU found a way to circumvent the activation scheme and created an activation code generator for this particular ransomware. As of yet there has been no word on actual removal tools. It is suggested that you keep your AV, anti-malware and anti-spyware update to possibly stave off infection.

Source: CA Security Advisor Research Blog

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you