Malicious PDF Documents Install File Encrypting Ransomware

By on 26 Nov 2010, 13:46 GMT

A new drive-by attack leverages PDF exploits to install an aggressive piece of ransomware on people's computers, which is designed to encrypt their files and ask for money to restore them.

The new threat was discovered by security researchers from Sophos, and is distributed via maliciously crafted PDF documents, which exploit a vulnerability in older versions of Adobe Reader.

Successful exploitation leads to the ransomware program being dropped and executed on the system with the purpose of extorting money from users.

Ransomware is considered the next step in the evolution of scareware. However, unlike scareware, ransomware does not trick users into making payments; it downright demands it.

In this case, the application makes a wide variety of personal documents inaccessible by encrypting them and asks for $120 to restore them to their original form.

The targeted extensions include .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx.

The desktop wallpaper is changed to warn the victim about what happened and how to proceed. "Attention!!!!!! All your personal files were encrypted with a strong algorythm RSA-1024 and you can't get an access to them without making of what we need!," part of the message reads.

Users are told to read a text file dropped on their desktop and called "HOW TO DECRYPT FILES," which contains further instructions about contacting the attackers.

The Sophos researchers point out that the program encrypts the first 10% of the files, making them unusable and appends the .ENCODED extension to them.

"Of course, we don't recommend paying money to ransomware extortionists. There's nothing to say that they won't simply raise their ransom demands even higher once they discover you are prepared to pay up," says Graham Cluley, a senior technology consultant at Sophos.

Unfortunately, there is currently no way to decrypt the files, unless you have an unaffected clean backup from where you can restore them.

3 Comments

New malware holds files to ransom
   New malware holds files to ransom