ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

New LoroBot ransomware encrypts files, demands $100 for decryption

By | October 27, 2009, 4:52pm PDT

Summary: Researchers from CA have intercepted a new ransomware variant encrypting popular file extensions (.zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc) and demanding a $100 for the decryption software. According to the message which replaces the desktop’s background upon execution, the files are encrypted with 256-bit AES encryption, and that [...]

Researchers from CA have intercepted a new ransomware variant encrypting popular file extensions (.zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc) and demanding a $100 for the decryption software.

According to the message which replaces the desktop’s background upon execution, the files are encrypted with 256-bit AES encryption, and that “there’s a 0% chance that you will be able to manually decrypt the files without the encryption key“. However, this particular cybercriminal appears to be bluffing since the ransomware encrypts the data using the XOR cipher.

Naturally, by doing so he allowed CA’s researchers to release a free decryptor for Win32/Gpcode.J. Despite that compared to previous campaigns, this one looks rather primitive, ransomware is clearly a trend, one that has already started converging with popular delivery channels such as scareware, and utilizing efficient payment processes such as the ubiquitous SMS micro-payment.

Throughout the entire 2009, cybercriminals have indicated their long-term interest in the development of alternative extortion tactics in order to efficiently earn as much micro-payment revenue as possible. The most recent case of such an alternative extortion tactic, was the introduction of SMS ransomware variant that was displaying persistent inline ads within the browsers of infected victims, often showing disturbing adult content, while requiring a premium-rate SMS for removal.

With the ever-decreasing price for do-it-yourself SMS ransomware building tools within the underground marketplace (average price is between $15 and $30), new market entrants will inevitably prompt the vendors of these releases to “innovate” and introduce new features in an attempt to compete with one another.

Interestingly, despite GPCode’s and LoroBot’s practice of encrypting popular file extensions, the majority of SMS-based ransomware releases currently offered for sale, emphasize on the practice of locking down an infected party’s computer using “Unlicensed copy of Windows” themes, instead of encrypting files.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Decryption, SMS, Text Messaging/SMS/MMS, Telephony, Online Communications, Networking, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
69
Comments
Add Your Opinion

Join the conversation!

Just In

RE: New LoroBot ransomware encrypts files, demands $100 for decryption
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
View in thread
0 Votes
+ -
You forgot to mention..
AzuMao 27th Oct 2009
..which OS(s) it affects! Or is it based on
something multi-platform like Java?
0 Votes
+ -
Use the same rule as in political reporting
frgough 28th Oct 2009
In political reporting of something bad, if you don't see party affiliation, you know it's a Democrat. In computer reporting of something bad, if you don't see an operating system, you know it's Windows.
0 Votes
+ -
Really?
Rob.sharp@... 28th Oct 2009
Wow! Use the OS you like and let it rest.
  • Flagged
0 Votes
+ -
Yeah, right
cdmsr 28th Oct 2009
If you see some bad political actor, assume it's a Republican. From your post, you are probably a Fox-watching cretin and Fox famously tags GOP offenders (Mark Sanford, Larry Craig) as Democrats.

Now, go drink your KoolAid, fanboy.
  • Flagged
0 Votes
+ -
Really?
nordyj2001@... 28th Oct 2009
Really? I always assumed something bad was caused
by the Republicans. OK, not really, but it shows
that anybody can play that ridiculously stupid
game.
  • Flagged
0 Votes
+ -
You missed his point
NBrazil 28th Oct 2009
He was not saying all bad things are done by Democrats. He was saying that in the press, since most of it is left biased, if the political party is not mentioned, it is usually because it is a Democrat. If it is a Republican, it is always pointed out. And two different studies of both CNN and the LA Times back this up, regardless of your personal political background. Similarly, if the OS is not mentioned, it can be assumed to be Windows, since the press only thinks of Windows in computer reporting, and usually only points out the OS when it is something else. No need to get all offended everyone.
  • Flagged
0 Votes
+ -
This is ZDNET not Fox news
gtaylor2 29th Oct 2009
Why make a political statement when we are here to talk about computers. Your statement is irrelevent.
0 Votes
+ -
a men to that
anonymous99 30th Oct 2009
Try to keep on open mind and make educated guessed, remarks, and whatsoever, but keep the stupid polical fiasco out of the picture. It won't help excuse, solve the problem instead of pointing finger. That's dead weight or another sign of incompetent.

I see this is a sign of new creative thinking and OPPORTUNITIES for people. If there is a wheel there is a way. Rules are made to break; therefore, learn howto prevent is the key. What people normally learn in martial art class, basically defense. Anyone just teaching offense, means they just don't know how to defense themselves, splendit name but NO go.
0 Votes
+ -
If Java Applet? it's isolated from OS! Use Linux!
i2fun@... 4th Nov 2009
I wonder why to date, there has been only one hack of Linux and that was in a Lab! lol

Should be plain as day why the NSA (National Security Agency) picked Linux as their OS of choice. First off they WROTE SecureLinux that has now been integrated into the Linux kernel we can get for free. Microsoft refused to let have code-able access to their kernel because it's simply not OPEN SOURCE!

Neither is Apple's hybrid kernel or Unix. So all they gave M$ and it's users is a set of security guidelines. That's why DoE and IBM are using Linux to run the most powerful super computers on earth. Linux is number in SECURITY!

Google it and you'll find out also why Google uses Open Source, while over 90% of HPC (high performance computing) Computers and Clusters run on LINUX. Have any of you ever thought about what the majority of web servers run on? Yes Linux.... on Apache Servers!

Have you ever heard of Unbreakable Linux Servers? Oracle? Penquin Linux? and a host of others!

Linux and Open Source is everywhere you are or will ever want to be in the Future! Running your car, your game consoles, your cell phones, your dvr and cable boxes, Satelites, your Bank's web services, and the Web we're on right now with Apache being the most widely used Web Server today! grin
0 Votes
+ -
Look at the bigger size version of the screenshot, it's all in there
The Mentalist 28th Oct 2009
A lot of russian characters and...

YES, you guessed it right, the word "windows" prominently displayed in red in the title.

Who would ever thought of that?
0 Votes
+ -
But my UAC nanny screen will protect you!!
Wintel BSOD 28th Oct 2009
Honest!!

happy
0 Votes
+ -
The Russian Characters
eric.d.dobbs@... 28th Oct 2009
They actually mean something, and they end with the instructions about sending the SMS ransom. My Russian is very rusty, but I was able to make out that they are telling you that something is rotten with your version of Windows and you can fix that if you pay up and get the code for "aktivatsiyah."
0 Votes
+ -
RE: New LoroBot ransomware encrypts files, demands $100 for decryption
Loverock Davidson 28th Oct 2009
Since encryption is available on all platforms everyone will have to be guarded from this. Good thing CA found a fix already for the Microsoft Windows users, other platforms like linux will have to suffer.
0 Votes
+ -
So the only platform that can be hit by malware is the safest platform...
The Mentalist 28th Oct 2009
Right?
0 Votes
+ -
wrong as usual
pgit 28th Oct 2009
The encryption routine runs on the win32 API, Linux and Mac are totally uneffected.

quote:

"Naturally, by doing so he allowed CA?s researchers to release a free decryptor for Win32/Gpcode.J."

I have never seen any evidence this character knows the first thing about computers. We're talking zero comprehension.

Doesn't ZDnet have some kind of standards?

Don't they care about the kind of pollution that drives eyes away from this site, toward others with a more serious approach to the mission at hand?

I mean this clown is entertaining, if being agitated is your idea of entertainment.

But I for one am trying to get work done and learn a few things along the way. Getting to where there's no point in reading through these threads to find the information that is of value, because most of it devolves into flames and mud being hurled around.
0 Votes
+ -
I'm right
Loverock Davidson 28th Oct 2009
Encryption is on every platform, CA only made a fix for the Microsoft Windows platform. When your files get encrypted you'll be sorry.
  • Flagged
0 Votes
+ -
How is a Win32 API...
Stuka 28th Oct 2009
...going to effect non Windows OS's?

The fix that was released is only for Windows because this flaw only effects Windows.
0 Votes
+ -
You're wrong
leiko84 28th Oct 2009
I'm a professional programmer and I'm telling you. You are 1000000% wrong!!!
0 Votes
+ -
Meant for Loverock Davidson
leiko84 28th Oct 2009
A million times wrong!
0 Votes
+ -
He's just here to troll
Wintel BSOD 28th Oct 2009
Mark his air-headed posts as spam and move on...
0 Votes
+ -
awright then..
pgit 28th Oct 2009
..we're on the same page. Carry on, ol' chap.
0 Votes
+ -
I have to agree
skeptic tank 28th Oct 2009
I used to visit here pretty often but the articles are getting relatively lame and the talkbacks are a joke, typically dominated by obnoxious kids. I drop in maybe once a week now if that, since there are far better tech sites.
0 Votes
+ -
Too Flippin' Right
Murfski 29th Oct 2009
If people would drop the stupid OS wars, and apply that energy to figuring out effective methods of combating these cybercriminals, we would get a lot more useful posts. ANY system is vulnerable, if enough effort and knowledge are applied -- and it would seem that the bad guys have plenty of both. We're losing the war against malware, and you're wasting time on puerile insults.
0 Votes
+ -
Yet another ignorant M$ Windows user!!!
leiko84 Updated - 29th Oct 2009
Excuse me, do you know anything about computers? I mean how ignorant can you be? Linux IS 100% SAFE from THIS attack!!! You like it or not, it's true!!! Win32 stands for windows! WINDOWS you see??? It's a windows API. Which means it runs only under windows and unfortunately you are the one who's gonna suffer, not us!!!
0 Votes
+ -
Enough Babble about what O/S is best already
mstarks67 28th Oct 2009
Will all of you Linux users get over it for once!!! Linux is not 100% safe. Although there are not as many attacks on Linux systems as Microsoft systems, they are still out there. The same goes for you MAC users. Nobody has to suffer if they use common sense when surfing and downloading on the Internet. Sadly, the overabundance of ignorance amongst all people regarding common sense security is the major culprit of this ever-growing plague. The bottom line folks...try to think before you click...regardless of what O/S you are using!
0 Votes
+ -
watch out...
g-ssg-22738810691057158710505623722271 28th Oct 2009
... someone might accuse you of:

respect
courtesy
and common sense!

All of which are usually missing here.

cheers !!!
0 Votes
+ -
Safe
dev-null 28th Oct 2009
I believe he meant 100% safe from THIS attack, since apparently it uses Windows API's to do its dirty work. And yes - good old common sense is the best protection, unfortunately though, it cannot be downloaded and installed.......
0 Votes
+ -
Thank you dev-null
leiko84 28th Oct 2009
That's exactly what I mean!!! And it's she not he
Thank you again!!!
0 Votes
+ -
Never said which O/S is the best!!!!!!!!
leiko84 28th Oct 2009
I never said THAT!!! Okay??? I said Linux is 100% SAFE from this LoroBot attack! Get it???
And someone else said Linux users will suffer. That's why I said if someone has to suffer from THIS attack, it won't be us, the Linux user. Get it???
And please don't attack me when I'm 100% right, okay? When someone else around here insists that THIS attack affects Linux users, cause you look exactly like him, a complete ignorant!!!
0 Votes
+ -
Relax
mstarks67 28th Oct 2009
I wasn't attacking anybody. I am just tired of the constant flaming that goes on in these forums based on what O/S is being used. My apologies if I have offended you.

Smart people do not worry about any form of infection. I have several systems at home, both linux-based and windows-based. The only system I have any form of protection installed is my new Win7 laptop. Sounds like a health commercial, but I am infection free and have been for several years now...LOL
0 Votes
+ -
It's ok!
leiko84 28th Oct 2009
>Smart people do not worry about any form of infection.

Totally agree!!!
0 Votes
+ -
Oh, geez
nordyj2001@... 28th Oct 2009
If you really believe Linux is 100% safe, you're
either a zealot, ignorant, or both. Yes, Linux
has a great track record. NO software is 100%
safe. Uninformed users can allow exploits on any
system, including your precious Linux. I won't
deny that Windows has made it easier, but to say
Linux is 100% safe is just mind numbing.
  • Flagged
0 Votes
+ -
OMG!!!!!!!!!!!!!!
leiko84 Updated - 29th Oct 2009
And you my friend if you really believe that I was talking about Linux being 100% safe in general, and not being 100% safe from THIS attack then you're either blind, stupid, or both!!! Do me a favor read my posts first!
It's not rocket science, you know? I mean we're here to talk about this LoroBot attack and not about every single attack exists on every platform.
So what I said is: Linux is 100% safe from THIS attack. And IT'S TRUE you like it or not!!! For god's sake!!!
0 Votes
+ -
Word up!
Adimo 30th Oct 2009
You're absolutely correct happy
0 Votes
+ -
Macs are also...
arminw 1st Dec 2009
100% safe from THIS particular malware.
0 Votes
+ -
Linux is 100% safe...?
Tommy S. Updated - 29th Oct 2009
Nothing is 100% safe in the world of computing. Another clueless fanboy that like to make a fool of himself for his beloved OS...

You are as credible as an Apple ad.
  • Flagged
0 Votes
+ -
OMG!!!!!!!!!!!!!!!!
leiko84 Updated - 29th Oct 2009
I said Linux is 100% safe from THIS attack
Do me a favor read my posts first!!! For god's sake!!!
0 Votes
+ -
Do me a favor...
leiko84 29th Oct 2009
...read dev-null's post, titled: Safe!
You see what I mean???
Next time get your story straight!!! Okay???
0 Votes
+ -
And BTW...
leiko84 Updated - 29th Oct 2009
if someone's a fanboy here that's you!!! Okay?
A blind M$ fanboy, who can't read what others say and takes everything as an attack against his favorite O/S! As for this "clueless" thing you say, well we do have someone else around here that he is clueless, he goes by Loverock Davidson. And my posts were for him not for you! Now I hope you can see who's the one, likes to make a fool of himself for his beloved O/S!

So in your opinion I am as credible as an Apple ad.

And you.., in my opinion you are as stupid as your favorite O/S!
0 Votes
+ -
You're ...
ryans565 Updated - 29th Oct 2009
...definitely right! Those stupid people that seem to pop up everywhere are definitely one of the most annoying things, but what can we do? Nothing! Stupidity is vast. Therefore let them alone, and move on,their case is desperate.
You can't fix everything.

Cheers
0 Votes
+ -
wow that's reallly harsh...
gabriel bear 2nd Dec 2009
:"You are as credible as an Apple ad. "

happy happy

0 Votes
+ -
Valueless business meets "activation" mechanics
cquirke 28th Oct 2009
Malware scams are just the tail-end of the trend towards value-less business.

Once, companies created the value they sold. If you bought a Blah-Blah jacket, it was actually made by the Blah-Blah company.

Then we moved to "big brands" that outsource manufacturing, slap on a worthless bit of brand fluff, and re-sell at a huge markup. Not much value added there.

So why not a totally bogus enterprise that contains all the mechanisms of commerce, with no product at all?

As to "ransomware", the precident for this was the vandor (VANdal + venDOR) phenomenon, such as Product Activation that denies you service of a product because the code has decided you don't have the right to use it.

Google(activation Kafka cquirke) to see how that works happy

So the next logical step is to use the same sort of mechanics to demand payment, without any pretense at justice - simply because you can.

Welcome to the bottom of the slippery slope.

0 Votes
+ -
I believe someone already named it "******* Genuine Advantage"
The Mentalist 28th Oct 2009
or something similar, I can't recall very well.
0 Votes
+ -
Sounds like you are describing Wall Street ...
kd5auq 28th Oct 2009
.... if you don't play by OUR rules and pay us a cut, your business won't succeed (even if you do it is iffy and subject to unfathomable fickle variables).
0 Votes
+ -
This current trend is only the tip of the iceberg.
jay_kuykendall@... 28th Oct 2009
Just imagine this as an excellent way to phish for your bank account information. You have a headache today when you are hit for $30, but tomorrow when you check your bank account you have a REAL headache when you discover that the $30 payment is suddenly every penny you have in checking.
0 Votes
+ -
Activation
dev-null 28th Oct 2009
You are comparing Microsoft trying to limit piracy of their product with intentional encryption of users files in order to get payment ?

Are you kidding ?

You should stop using the "evil" MS Windows and switch to Ubuntu or something.
0 Votes
+ -
Valid comparison
rahbm 28th Oct 2009
Several of my friends who were still running Windows XP (at the time)
have had WGA lock up their systems, and the MS response was to tell
them to buy a valid copy.

All have decided not to pay the Microsoft ransom demand, especially as
they had already paid for legitimate copies of Windows.

All are now happily running Ubuntu and enjoying the better performance,
the greater range of useful utilities and the excellent price point.
0 Votes
+ -
If Microsoft's activation...
arminw 1st Dec 2009
scheme would actually prevent pirates from plying their nefarious trade,
then it would be worth it. The reality is that it is only a minor speed
bump for them to get over. As it is, Microsoft's so-called antipiracy
measures are only an annoyance for honest people that pay for their
software.
0 Votes
+ -
RE: New LoroBot ransomware encrypts files, demands $100 for decryption
vbnomad@... 28th Oct 2009
Thank you fellow commenters; the political/wall street pontificating is so very interesting, and before this comment stream degenerates into a Windows vs Mac smack-down, a simple question: Do the perpetrators of thins kind of crime ever get caught or prosecuted?
0 Votes
+ -
Do the perpetrators of this kind of crime ever get caught or prosecuted?
timmycb 28th Oct 2009
I certainly don't hear of it very often. But I have wasted more than a couple weekends helping non-savvy friends rebuild their systems (yes, Windows - big deal). I would like to see those convicted of this kind of crime serve an appropriate punishment - like cutting off both of their freaking hands.
0 Votes
+ -
RE: New LoroBot ransomware encrypts files, demands $100 for decryption
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix