Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    TrendLabs has received reports of a malware strain, which encrypts all files ending with the following extensions:

    • csv
    • doc
    • docx
    • mdb
    • mpl
    • pps
    • ppt
    • pptx
    • rar
    • rtf
    • txt
    • vsd
    • vst
    • xls
    • xlsx
    • zip

    Then it drops a ransom note named README_ASAP.TXT:

    Dear User,

    Thank you for using our service.
    We’ve recently inspected your system and found out many critical security holes.
    It’s not a joke, and it bring out clearly that we were able to crypt all of your text files, documents, archives and data files.

    For your security we did it before than someone else: hacker, virus or just stupid vandal.
    In world, hijackers are hunting for your bank account, credit card information, or something valuable.
    Now, even if they’ll hack your computer they steal nothing, because all of your important files are now crypted and secured. There is no technology or scientific method to crack this kind of encrypting in near future Unfortunatelly as like other job, our services cost money. Just only 150$ US dollars. It is worth much less than if you loose all your files.
    We accept only Western Union, and we garantee that your’ll receive decrypting program with detailed manual in less than hour after we’d received your payment.
    If you need your information back, just send an email to:


    and we’ll send you further instructions in 5 minutes.

    Do not worry, you’ll get all back in hour after we get Western Union Transfer details. ONLY IN ONE HOUR!!!

    We are sorry for your inconvenience, but better we and less, than somebody and more.

    Q. I didn’t order your service and dont want to pay! I’ll go to police!
    A. It’s up to you. If you belive they do it better, then do it.

    Q. I am poor studentbankrupthousewife. I dont have money.
    A. It’a sad to hear.

    Q. I’ve sent an email to you for a discount.
    A. Sorry, but we can’t answer to all our correspondents due to high load.

    Q. I need my information ASAP!
    A. Dont worry! You will get it in one hour after we receive your MTSN. (western union control number)

    Q. How i can trust you? Maybe you’ll rip me?
    A. We understand if you send money for our work-your info important for you.And we don’t want make your life worse.You’ll certanly get the Decription Program.

    Thank you,
    Network Security Audit Plus

    Users are then left with hundreds of unusable data, with no means of recovery as of yet. TrendLabs has identified the culprits to be TROJ_GPCODE.AB and TROJ_GPCODE.AC.

    This routine is similar to the TSPY_KOLLAH.F attack reported last month, where various file formats were held “hostage” by encryption using the RSA-4096 algorithm method. Similarly, the earlier attack left a READ_ME.TXT file informing users that a certain software must be purchased to revert the encrypted files to their un-encrypted form. However, interesting to note is that this attack offers a cheaper price for its decryption software (for $150) than last month’s $300.

    Ransomware has been defined as malware used for an extortion crime. Such malicious routines are nothing new as cases have been reported as early as 2005. However, they have remained low-key until now, indicating that ransomware may be on the rise.

    In this regard, TrendLabs strongly advocates making back-up copies of your files, in case they get infected, deleted, stolen — or in this case, ransomed.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice