November 30, 2010, 1:24 PM — Malware is all about money. Spyware stealthily captures keystrokes and sensitive data to compromise accounts. Phishing attacks lure users into unwittingly surrendering account credentials and other crucial information. Ransomware uses a much less subtle tactic of demanding the money directly in exchange for the safe return of your own data.
The ransomware attack uses a Trojan to encrypt your data, then notifies you that you must pay a ransom if you want the hostage data returned to you. A SecureList blog post explains, "this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive."
The latest ransomware attack seems to be a variant of the GpCode Trojan that has made seemingly annual reappearances to extort money for the past few years. A compromised system will show a Notepad pop-up, or change the desktop background to display a message that reads "Attention!!! All your personal files were encrypted with a strong algorithm RSA-1024 and you can't get an access to them without making of what we need!" This grammatical nightmare is followed by more broken English instructions directing you to read a text file explaining that a ransom of $120 is required to get the decryption key.
Past ransomware extortion efforts created an encrypted copy of the file, but left the original intact. This latest version, however, encrypts the original file--making any recovery efforts significantly harder, if not virtually impossible.
Users are directed to shut the computer down as quickly as possible once the ransom alert appears. In the background, the malware is still busy doing its dirty work, and by shutting the system down--yanking the plug from the wall if you must--you might be able to save some of the data.
Depending on the data being held hostage, the $120 may seem like a reasonable ransom. If you consider the amount of effort required to try to salvage data, or attempt to crack the encryption algorithm to recover the data, $120 might seem trivial by comparison.
As a side note, though, your data should be backed up. If you back up your data on a regular basis you can simply eradicate the Trojan from the compromised system and restore your safely unencrypted data from your backups.