Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    9:58 am (UTC-7)   |    by

    This morning (TrendLabs time), we have received news of a new ransomware by the so-called “Glamorous team”, which claims to encrypt its hostaged files using RSA-4096 encrpytion tool. Detected by Trend Micro as TSPY_KOLLAH.F, this ransomware is said to have affected several customers, including a couple of large companies in the United States.

    TSPY_KOLLAH.F usually arrives as file downloaded from the URL http://{BLOCKED} When executed, it encrypts files with certain extensions in all available drives on the affected system. The said files include Microsoft Office files (.DOC, .XLS, .PPT), PDF documents, and archived files (.ZIP, .RAR) — essentially files that contain private data, and therefore are most important to computer users. Once this spyware is finished with this routine, it drops the file READ_ME.TXT in all folders. This file serves as the “ransom note”, telling users that unless they buy the decryptor (for $300), the affected user’s private data will be shared.

    Below is a screenshot of its ransom note:


    Apart from the mentioned file-encryption routine, this spyware also lowers the affected system’s Internet Zone security settings and disables several antivirus and security applications/processes (including the Windows Security Center). These techniques thus ensure that the system is open to additional threats, while the spyware continues to hostage files without interference.


    It seems that after a year in the sidelines, ransomware are attempting to steal the spotlight from Web threats and other crimeware (e.g., Trojan spyware, etc.) that has since proliferated. Note that one the last notable ransomware — TROJ_CRYZIP.A — was detected on March 2006.

    TrendLabs is currently giving its best efforts to ensure the right solutions are delivered to mitigate this attack. TSPY_KOLLAH.F is already detected by the latest pattern file. Thus, customers are advised to update their Trend Micro products immediately. Other users can also use HouseCall, Trend Micro’s free online threat scanner.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice