Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    Jul17
    9:58 am (UTC-7)   |    by

    This morning (TrendLabs time), we have received news of a new ransomware by the so-called “Glamorous team”, which claims to encrypt its hostaged files using RSA-4096 encrpytion tool. Detected by Trend Micro as TSPY_KOLLAH.F, this ransomware is said to have affected several customers, including a couple of large companies in the United States.

    TSPY_KOLLAH.F usually arrives as file downloaded from the URL http://{BLOCKED}-golf.net/pajero/pajero.exe. When executed, it encrypts files with certain extensions in all available drives on the affected system. The said files include Microsoft Office files (.DOC, .XLS, .PPT), PDF documents, and archived files (.ZIP, .RAR) — essentially files that contain private data, and therefore are most important to computer users. Once this spyware is finished with this routine, it drops the file READ_ME.TXT in all folders. This file serves as the “ransom note”, telling users that unless they buy the decryptor (for $300), the affected user’s private data will be shared.

    Below is a screenshot of its ransom note:

    ransomnote.JPG

    Apart from the mentioned file-encryption routine, this spyware also lowers the affected system’s Internet Zone security settings and disables several antivirus and security applications/processes (including the Windows Security Center). These techniques thus ensure that the system is open to additional threats, while the spyware continues to hostage files without interference.

    TSPY_KOLLAH_F_infection-dia.gif

    It seems that after a year in the sidelines, ransomware are attempting to steal the spotlight from Web threats and other crimeware (e.g., Trojan spyware, etc.) that has since proliferated. Note that one the last notable ransomware — TROJ_CRYZIP.A — was detected on March 2006.

    TrendLabs is currently giving its best efforts to ensure the right solutions are delivered to mitigate this attack. TSPY_KOLLAH.F is already detected by the latest pattern file. Thus, customers are advised to update their Trend Micro products immediately. Other users can also use HouseCall, Trend Micro’s free online threat scanner.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice