Ransomware: Pay us $35us or be forever locked out of your box!

03 January 2008

Ransomware, malware that forces the user of an infected machine to pay a sum of money to Someone Out There in exchange for regaining access to their data isn't exactly the most common thing going around but it seems to be catching on, and I can't think of a reason why it would slow down. Earlier strains found in the wild did things like finding and encrypting all Excel spreadsheets on a machine and demanding that the user wire money someplace in exchange for the utility that would decrypt them, but now the stakes are a bit higher on both sides of the fence: A new malware agent locks users completely out of their machines until $35us is paid, either by dialing a premium-rate phone number (most of the cost of which goes to the bad guys) or going to a web site that processes payments for porn sites. The beastie manifests as a full-screen error message that pretends to be a nag screen for an anti-malware application that has expired.

From what I've been able to tell, no one's written a universal unlocker yet for this little nasty, unlike some of the other extortionware agents in the wild. I wouldn't mind getting hold of a sample of it to start taking apart, so if anyone out there does manage to capture a sample please let me know. Specifically, I'm interested in the mechanism by which user access is locked out, though the PIN generation method used by the beastie is also of interest to me (writing a keygen to banish a malware infestation, as it were).