New LoroBot ransomware encrypts files, demands $100 for decryption

New LoroBot ransomware encrypts files, demands $100 for decryption

Summary: Researchers from CA have intercepted a new ransomware variant encrypting popular file extensions (.zip; .

SHARE:

Researchers from CA have intercepted a new ransomware variant encrypting popular file extensions (.zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc) and demanding a $100 for the decryption software.

According to the message which replaces the desktop's background upon execution, the files are encrypted with 256-bit AES encryption, and that "there's a 0% chance that you will be able to manually decrypt the files without the encryption key". However, this particular cybercriminal appears to be bluffing since the ransomware encrypts the data using the XOR cipher.

Naturally, by doing so he allowed CA's researchers to release a free decryptor for Win32/Gpcode.J. Despite that compared to previous campaigns, this one looks rather primitive, ransomware is clearly a trend, one that has already started converging with popular delivery channels such as scareware, and utilizing efficient payment processes such as the ubiquitous SMS micro-payment.

Throughout the entire 2009, cybercriminals have indicated their long-term interest in the development of alternative extortion tactics in order to efficiently earn as much micro-payment revenue as possible. The most recent case of such an alternative extortion tactic, was the introduction of SMS ransomware variant that was displaying persistent inline ads within the browsers of infected victims, often showing disturbing adult content, while requiring a premium-rate SMS for removal.

With the ever-decreasing price for do-it-yourself SMS ransomware building tools within the underground marketplace (average price is between $15 and $30), new market entrants will inevitably prompt the vendors of these releases to "innovate" and introduce new features in an attempt to compete with one another.

Interestingly, despite GPCode's and LoroBot's practice of encrypting popular file extensions, the majority of SMS-based ransomware releases currently offered for sale, emphasize on the practice of locking down an infected party's computer using "Unlicensed copy of Windows" themes, instead of encrypting files.

Topics: Telcos, Collaboration, Mobility, Networking, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

69 comments
Log in or register to join the discussion
  • You forgot to mention..

    ..which OS(s) it affects! Or is it based on
    something multi-platform like Java?
    AzuMao
    • Use the same rule as in political reporting

      In political reporting of something bad, if you don't see party affiliation, you know it's a Democrat. In computer reporting of something bad, if you don't see an operating system, you know it's Windows.
      frgough
      • Really?

        Wow! Use the OS you like and let it rest.
        Rob.sharp
      • Yeah, right

        If you see some bad political actor, assume it's a Republican. From your post, you are probably a Fox-watching cretin and Fox famously tags GOP offenders (Mark Sanford, Larry Craig) as Democrats.

        Now, go drink your KoolAid, fanboy.
        cdmsr
      • Really?

        Really? I always assumed something bad was caused
        by the Republicans. OK, not really, but it shows
        that anybody can play that ridiculously stupid
        game.
        NordyJ
      • You missed his point

        He was not saying all bad things are done by Democrats. He was saying that in the press, since most of it is left biased, if the political party is not mentioned, it is usually because it is a Democrat. If it is a Republican, it is always pointed out. And two different studies of both CNN and the LA Times back this up, regardless of your personal political background. Similarly, if the OS is not mentioned, it can be assumed to be Windows, since the press only thinks of Windows in computer reporting, and usually only points out the OS when it is something else. No need to get all offended everyone.
        NBrazil
      • This is ZDNET not Fox news

        Why make a political statement when we are here to talk about computers. Your statement is irrelevent.
        gtaylor2
        • a men to that

          Try to keep on open mind and make educated guessed, remarks, and whatsoever, but keep the stupid polical fiasco out of the picture. It won't help excuse, solve the problem instead of pointing finger. That's dead weight or another sign of incompetent.

          I see this is a sign of new creative thinking and OPPORTUNITIES for people. If there is a wheel there is a way. Rules are made to break; therefore, learn howto prevent is the key. What people normally learn in martial art class, basically defense. Anyone just teaching offense, means they just don't know how to defense themselves, splendit name but NO go.
          anonymous99
    • If Java Applet? it's isolated from OS! Use Linux! ;)

      I wonder why to date, there has been only one hack of Linux and that was in a Lab! lol

      Should be plain as day why the NSA (National Security Agency) picked Linux as their OS of choice. First off they WROTE SecureLinux that has now been integrated into the Linux kernel we can get for free. Microsoft refused to let have code-able access to their kernel because it's simply not OPEN SOURCE!

      Neither is Apple's hybrid kernel or Unix. So all they gave M$ and it's users is a set of security guidelines. That's why DoE and IBM are using Linux to run the most powerful super computers on earth. Linux is number in SECURITY!

      Google it and you'll find out also why Google uses Open Source, while over 90% of HPC (high performance computing) Computers and Clusters run on LINUX. Have any of you ever thought about what the majority of web servers run on? Yes Linux.... on Apache Servers!

      Have you ever heard of Unbreakable Linux Servers? Oracle? Penquin Linux? and a host of others!

      Linux and Open Source is everywhere you are or will ever want to be in the Future! Running your car, your game consoles, your cell phones, your dvr and cable boxes, Satelites, your Bank's web services, and the Web we're on right now with Apache being the most widely used Web Server today! :D
      i2fun
  • Look at the bigger size version of the screenshot, it's all in there

    A lot of russian characters and...

    YES, you guessed it right, the word "windows" prominently displayed in red in the title.

    Who would ever thought of that?
    The Mentalist
    • But my UAC nanny screen will protect you!!

      Honest!!

      :)
      Wintel BSOD
    • The Russian Characters

      They actually mean something, and they end with the instructions about sending the SMS ransom. My Russian is very rusty, but I was able to make out that they are telling you that something is rotten with your version of Windows and you can fix that if you pay up and get the code for "aktivatsiyah."
      ericddobbs9
  • RE: New LoroBot ransomware encrypts files, demands $100 for decryption

    Since encryption is available on all platforms everyone will have to be guarded from this. Good thing CA found a fix already for the Microsoft Windows users, other platforms like linux will have to suffer.
    Loverock Davidson
    • So the only platform that can be hit by malware is the safest platform...

      Right?
      The Mentalist
    • wrong as usual

      The encryption routine runs on the win32 API, Linux and Mac are totally uneffected.

      quote:

      "Naturally, by doing so he allowed CA?s researchers to release a free decryptor for <b>Win32</b>/Gpcode.J."

      I have never seen any evidence this character knows the first thing about computers. We're talking zero comprehension.

      Doesn't ZDnet have some kind of standards?

      Don't they care about the kind of pollution that drives eyes away from this site, toward others with a more serious approach to the mission at hand?

      I mean this clown is entertaining, if being agitated is your idea of entertainment.

      But I for one am trying to get work done and learn a few things along the way. Getting to where there's no point in reading through these threads to find the information that is of value, because most of it devolves into flames and mud being hurled around.
      pgit
      • I'm right

        Encryption is on every platform, CA only made a fix for the Microsoft Windows platform. When your files get encrypted you'll be sorry.
        Loverock Davidson
        • How is a Win32 API...

          ...going to effect non Windows OS's?

          The fix that was released is only for Windows because this flaw only effects Windows.
          Stuka
        • You're wrong

          I'm a professional programmer and I'm telling you. You are 1000000% wrong!!!
          leiko84
          • Meant for Loverock Davidson

            A million times wrong!
            leiko84
          • He's just here to troll

            Mark his air-headed posts as spam and move on...
            Wintel BSOD