New ransomware locks PCs, demands premium SMS for removal

New ransomware locks PCs, demands premium SMS for removal

Summary: UPDATE: Another variant has been detected.Following the recently uncovered hybrid scareware with elements of ransomware, and last year's GPcode ransomware attacks, cybercriminals have once again demonstrated their interest in the concept of ransomware.

SHARE:

UPDATE: Another variant has been detected.

Following the recently uncovered hybrid scareware with elements of ransomware, and last year's GPcode ransomware attacks, cybercriminals have once again demonstrated their interest in the concept of ransomware.

PandaLabs is reporting on a newly discovered ransomware variant which locks the affected user's PC, and demands a premium SMS in order to deactivate it.

Trj/SMSlock.A doesn't have any self-propagation functions and appears to be coming under the form of a typical fake codec that has been affecting users for over a week now. The message (in Russian) demands that the affected user sends an SMS with the pseudo-unique number to the given number in order to receive deactivation code. From a monetization perspective, the approach is pretty similar to the recent Trojan-SMS.Python.Flocker mobile malware which was transferring account credit, and mimicking the original functionality of the RedBrowser mobile malware which was automatically sending SMS messages to premium-rate numbers in 2006.

Just how dangerous is SMSlock.A? Compared to GPcode, it's the work of less technically sophisticated people, making it fairly easy to bypass. Dr.Web has even released a generator for deactivation codes so that affected users don't have to pay.

Ransomware is not a fad, that's for sure. In fact, Trend Micro's Annual Threat Report: Cybercriminals are Working Faster than Ever stated that ransomware attacks are prone to increase in a targeted fashion during Q2 of 2009. And whereas the current variants do not have self-propagation functions, their primarily propagation vector remains the hundreds of currently active blackhat search engine optimization campaigns serving the ubiquitous fake codecs (Cybercriminals syndicating Google Trends keywords to serve malware; Massive comment spam attack on Digg.com leads to malware).

Topics: Hardware, Browser, Mobility, Security, Telcos

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

53 comments
Log in or register to join the discussion
  • Maybe I overestimate the average person's intelligence

    but I would think that anybody who has data that valuable as to pay a ransom to retrieve it would know exactly how to fix the problem without paying the ransom. And that those who don't have data that valuable would just as soon pay someone to reinstall the OS and programs.
    Michael Kelly
    • It's not maybe, you do overestimate...

      the average person's intelligence when it comes to computers.

      I know a few well off folks who think when Windows Update is done and asks for a restart that it's really just a hacker in disguise. They called me up a few time lately this past months and wonder why that MS Update screwed up their PC, they can't see email or a web page and don't know how they got "infected". I tell them to restart their systems and lo and behold, I fixed it! LOL

      I was nice, it was a freebie and I tell them to call me again when something happens. I figure I am banking some goodwill and that I will hear from them when something really happens down the road.

      Cheers!
      ThePrairiePrankster
      • If they are really that stupid, they shouldn't be allowed near a PC

        Enough said!
        Lerianis
        • RE: If they are really...

          I believe that acronym is:

          [b]YATFSTHAC[/b]

          or something close

          YATFSTHAC = [b]Y[/b]ou [b]A[/b]re [b]T[/b]oo [b]F[/b]------ [b]S[/b]tupid [b]T[/b]o [b]H[/b]ave [b]A[/b] [b]C[/b]omputer
          fatman65535
          • Or this....

            I
            D
            1
            0
            T

            They are ID ten T's indeed....LOL
            ThePrairiePrankster
        • Agreed!

          :-)
          ThePrairiePrankster
        • Or...

          You have to be smarter than the equipment before you're allowed to operate it.
          eric_s9
    • Huh?

      Everyone with valuable data is a tech wizard now? When did that happen?
      Mewshew
      • Or, perhaps...

        ...can afford to <i>hire</i> one?
        fairportfan
    • LMAO!

      That's a good one. Thanks for the smile!
      ejhonda
      • One of them was my Ma

        And I gotta be nice to her, you know? LOL
        ThePrairiePrankster
        • I wouldn't be

          If it was my mother, I can honestly say that I would be berating her for getting infected with something like this, with the NUMEROUS times I have told her to let me look at something (unless it's from RealArcade's main site) before installing it.
          Lerianis
        • Small victories

          I hear you on that - I finally have my parents instilled with the level of skepticism needed to stay safe(r). But my father now tells me stories of his co-workers and the rumors and bad security information that get passed around his workplace.

          Where does he work? (get ready...)

          IBM.
          ejhonda
    • Or the intelligence of the good guys .....

      Who haven't figured out yet who gets the revenue from the premium rate calls. Follow the money and lock up the people who handle it. Then slap the telco's wrist and get it relisted as a freecall number.
      Dr.C
  • When I saw ransomware in the title...

    I first thought you were talking about Microsoft lock-in. I guess everybody is trying to get at our money these days.
    kozmcrae
  • RE: New ransomware locks PCs, demands premium SMS for removal

    This is a problem only if you use WINDOWS.

    Why would anyone use Windows for surfing the web?

    Firefox, for example, is cross functional with other
    operating systems.
    gertruded
    • Because it's very, very securable

      "Why would anyone use Windows for surfing the web?"

      Why not? I've hunted more wild malware than you can imagine, using various Windows OSes, and I've racked up hundreds of thousands of infection-free machine-hours on a Windows fleet as a sysadmin. I'm satisfied with Windows securability. Vista's default setup is a decent starting point, and despite its age, WinXP has potential too.

      For those interested in what I meant by "securability," I've made a guide that's probably not beyond the comprehension of the audience here, and that's at http://www.mechbgon.com/security for those interested. Unlike most Windows security guides I've seen, it actually starts with the foundation: using a low-rights user account.

      [i]Microsoft MVP, 2006-2009
      SiteAdvisor Experienced Reviewer[/i]
      mechBgon
      • Windows is very securable

        And everyone should be using a 'low-rights' user account as much as they can. I personally don't because some games I play don't like standard user accounts and have to be played in Administrator mode to play right.
        Lerianis
        • Consider using RunAs, or Vista

          I know exactly what you mean regarding games. My Mechwarrior4 games (ironically a Microsoft product) will not run as a Limited user on WinXP, although they run fine as a Standard (non-Admin) user on Vista. That's because Vista has file-system and Registry virtualization, letting the program modify a *phantom* copy of the Registry to overcome these sorts of compatibility problems.

          If you're on WinXP for the near future, one option is to create an Admin-level account, give the account a password so RunAs can function, and then right-click the game and choose RunAs from the right-click menu (if you don't see RunAs, then hold your SHIFT key down while you right-click). Now you can run that program as the Admin-level account, while the rest of your user session remains safely at non-Admin level. If the game has per-user setup, you will need to set up your control layout and settings again.

          If your version of WinXP is XP Pro or MCE, you can also create a custom shortcut that'll always launch the game (or whatever program) as the Admin account. To do so, create a shortcut to the game/program, then right-click your shortcut and choose Properties. In its Properties panel, add [b]runas /user:[i]yourAdminAccount'sName[/i] /savecred[/b] at the beginning of the [i]Target:[/i] line, and change the [i]Start In:[/i] line to your non-Admin account's folder within C:\Documents and Settings. Now use the shortcut, type the password, and it'll remember it for future use when you use that shortcut.
          mechBgon
    • A Well Disguised Troll

      Is still a troll.

      Glad you could join us. Can we stick to the topic? Please?
      TheGooch1