New LoroBot ransomware encrypts files, demands $100 for decryption

Summary:Researchers from CA have intercepted a new ransomware variant encrypting popular file extensions (.zip; .

Researchers from CA have intercepted a new ransomware variant encrypting popular file extensions (.zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc) and demanding a $100 for the decryption software.

According to the message which replaces the desktop's background upon execution, the files are encrypted with 256-bit AES encryption, and that "there's a 0% chance that you will be able to manually decrypt the files without the encryption key". However, this particular cybercriminal appears to be bluffing since the ransomware encrypts the data using the XOR cipher.

Naturally, by doing so he allowed CA's researchers to release a free decryptor for Win32/Gpcode.J. Despite that compared to previous campaigns, this one looks rather primitive, ransomware is clearly a trend, one that has already started converging with popular delivery channels such as scareware, and utilizing efficient payment processes such as the ubiquitous SMS micro-payment.

Throughout the entire 2009, cybercriminals have indicated their long-term interest in the development of alternative extortion tactics in order to efficiently earn as much micro-payment revenue as possible. The most recent case of such an alternative extortion tactic, was the introduction of SMS ransomware variant that was displaying persistent inline ads within the browsers of infected victims, often showing disturbing adult content, while requiring a premium-rate SMS for removal.

With the ever-decreasing price for do-it-yourself SMS ransomware building tools within the underground marketplace (average price is between $15 and $30), new market entrants will inevitably prompt the vendors of these releases to "innovate" and introduce new features in an attempt to compete with one another.

Interestingly, despite GPCode's and LoroBot's practice of encrypting popular file extensions, the majority of SMS-based ransomware releases currently offered for sale, emphasize on the practice of locking down an infected party's computer using "Unlicensed copy of Windows" themes, instead of encrypting files.

Topics: Telcos, Collaboration, Mobility, Networking, Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.