Trojan Holds Files for Ransom

Cryzip encrypts files and demands $300 from victims.

The explosion of criminal extortion activity on the Internet took another turn with the discovery of a new Trojan that encrypts files on an infected computer and then demands $300 in ransom for a decryption password.

The Trojan, identified as Cryzip, uses cryptography to store the targets documents inside a password-protected Zip file and leaves step-by-step instructions on how to use the e-gold online currency system to pay the ransom.

It is not yet clear how the Trojan is being distributed, but security researchers believe it was part of an under-the-radar e-mail spam run that successfully evaded anti-virus scanners.

The discovery of this type of attack, known as ransomware, is not unique: There are at least two similar instances recorded.

In one incident, in May 2005, researchers at Websense Security Labs found a similar Trojan in the wild. That threat, called PGPcoder, exploited a known security flaw in Microsofts Internet Explorer browser and used a custom encryption scheme to seize control of important files. In that case, a ransom was also demanded for file decryption.

It all points to an increasing level of sophistication among online thieves, said Shane Coursen, senior technical consultant at Kaspersky Lab, an anti-virus vendor in Woburn, Mass.

The LURHQ Threat Intelligence Group was able to crack the encryption code used in the Cryzip Trojan and determine how the files are encrypted, the identification of the e-gold payment mechanism that has been set up to collect the $300 ransom and the e-gold account numbers that are being used to collect the funds.

Cryzip searches an infected hard drive for widely used file types, including Microsoft Word and Excel files, PDFs and JPEGs. Once commandeered, the files are Zipped, and the text is overwritten with the message "Erased by Zippo! GO OUT!!!"

The Trojan then deletes all the files, leaving only the encrypted version with a text directory that includes very specific instructions on how to pay to retrieve the files.

The owner of the infected machine is warned not to search for the program that encrypted the data, claiming it simply doesnt exist on the hard drive.

The instructions, which are marked by misspellings and poor grammar, contain the following text: "Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enought password. You can not guess the password for your archived files—password lenght is more then 10 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations)."

The Trojan author uses scores of e-gold accounts simultaneously to get around potential shutdowns, according to LURHQ, which published the complete list of e-gold accounts in an alert.

"Infection reports are not widespread, so it is not believed this is a mass threat by any means," read LURHQs online alert. However, the company said social engineering malware is typically more successful when delivered in low volumes because this allows it to avoid anti-virus detections.

"More attention means the likely closing of the accounts used for the anonymous money transfer," the research groups alert said.