It passed the time when viruses were written out of the passion for IT, or for kidding purposes, most viruses are now written for obvious financial gains. You might have heard of this, or even experienced malwares that steal passwords for online games, banking account details, or fake antivirus software for phishing aim, etc. Lots of methods, scenarios have been used for hackers’ ultimate goal to collect illegal dollars. Once your computer is connected to the Internet, you will see the abundance of these ways to earn money.
To deal with the phenomenon, security companies, antivirus software producers are making timely analysis and widely releasing warnings to users via their Internet security bulletins. Any phishing methods, hence, will gradually become less effective, bad guys are forced to switch to new ones. Recently, our system detected a new technique being used by hackers, and we call it “racketeering encryption”.
Applying “racketeering decryption”, hackers write a virus that encrypts users’ data after its infection. Specifically, the virus (recognized as W32.RansomWare.Trojan by Bkav) focuses on the following file extensions: psd, msi, rar, zip, txt, doc, mp3, tif, jpg, jpeg, wma, lnk, docx, gif, bmp, xls, ppt, xlsx, pptx, docm, xlsm, pps, ppsx, ppd, tif, tiff, eps, png, ace, djvu, pdf, xml, rtf, cdr, max.
Picture 1: The file’s content before and after being encrypted.
Picture 2: Encryption algorithm
Then, the virus sends the computer user a message in Russian through Windows Notepad program. The message’s content can be translated into English as follow:
“All your files have been locked!
To unlock your computer, you need to pay 400 rubles into our account 41001473616253 from any ATM.
After the payment, send a scan of your bill to the email address: razb[removed]email@example.com
After we receive your money, instruction for unlocking your computer will be sent to your email address within 24 hours.
Instruction for the replenishment of our account can be found here:
Also you can pay in any other way. After the payment, write an email to inform us how and when you paid.”
Is the price 400 rubles (about 14 USD) for your whole precious data too cheap? Would you give out this sum of money? If I were in this situation, my answer would always be “No”. It’s simply because there’s a much better choice. It is to get help from antivirus experts. To remove this virus from your computer, just download Bkav from the address http://www.bkis.com/home/DownloadE.aspx and install the software onto your computer. Then, you can use BkavDecryptTool to decrypt your data encrypted by the virus.
Hope you soon solve your virus problem to get back to your favorite job! :D
Nguyen Cong Cuong