Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"

Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"

Summary: A newly pushed scareware called File Fix Professional 2009 (FileFix Pro 2009), has the potential to influence the way in which spreaders of rogue security software optimize their revenue in the future - by encrypting critical business files and requiring a $50 purchase of the fake software for the decryption.

SHARE:
TOPICS: Security
49

A newly pushed scareware called File Fix Professional 2009 (FileFix Pro 2009), has the potential to influence the way in which spreaders of rogue security software optimize their revenue in the future - by encrypting critical business files and requiring a $50 purchase of the fake software for the decryption.

This piece of hybrid ransomware greatly reminds of June, 2008's GPCode targeted campaigns, where the malware author's tactic was undermined by their inability to securely wipe out the deleted files, allowing their recovery without having to pay the authors.

Thankfully, FileFix Pro 2009's encryption is anything but unbreakable, with several vendors already releasing free decryption tools. FileFix Pro 2009 attempts to encrypt files with the following extensions upon executing it:

- doc, xls, ppt, pdf, jpg, jpeg, png, mp3, wma, mdb, pst, docx, docm, dotx, dotm, xlsx, xlsm, xltx, xltm, xlsb, xlam, pptx, pptm, potx, potm, ppam, ppsx, ppsm

A logical question remains - why did they introduce the ransomware motive within a business model that's proven to be highly successful, earning cybercriminals thousands of dollars daily? The economy slowdown affecting their revenues, or plain simple profit optimization strategy? I'd go for the second, and in particular a rather logical move given all the media attention rogue security software started receiving.

From an emphasis on visual social engineering, and traffic acquisition tactics, the affiliate networks set the standards on the basis of which the participants in the network operate. If this tactic goes mainstream, the affiliate network that first implements this on a large scale will be capable of stealing market share from competing networks due to the improved payout rates thanks to the ransomware motive. So far, that doesn't seem to be the case.

FireEye Labs, Symantec, and third party researchers have already released free decrypting tools for FileFix Pro 2009, affected parties can take advantage of.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

49 comments
Log in or register to join the discussion
  • I imagine this is targeted ONLY to Windows platforms :-)

    As soon as I read this I looked over at my wife and said "God I'm glad we left Windows!" The more I read of this crap the happier I am I switched.
    devlin_X
    • No Fanbois, This testor did it on a Linux/Firefox setup.

      http://blog.fireeye.com/research/2009/03/a-new-method-to-monetize-scareware.html
      So don't drop your guard just yet.

      The death of one diminishes us all. I don't praise one OS over another. As all human built systems are inherently flawed. Remember while you're point at something/one there are 3 fingers pointing back at yourself.

      My wife can get by on Ubuntu, I can not.

      Since there's not enough users of <insert your OS here> to be profitable for malware scumbags. You may be less of a target. But you have less compatibility with popular programs and must settle for substitutes, dual boot, or do without.

      Anytime anyone tries to warn us about some evil, fanbois from all sides start crawling out of the woodwork going "SEE SEE SEE". At least you didn't attack the messenger.
      invmgr
      • RE:No Fanbois, This testor did it on a Linux/Firefox setup.

        Followed your link and I don't see where it says this was done on a linux machine. The relevant quote appears to be: "Below you can see the webpage for the "fix", FileFixPro.com... which they clearly did not QA on FireFox 3 under Linux." I followed links from that page and they all seemed to be about Windows and Microsoft Office files. I may have missed what you were referring to. Could you provide quote from web site or a link to elsewhere which describes its actions on Linux with Firefox or any other browser?
        richdave
      • No he didn't!

        Failed at reading comprehension?
        InAction Man
      • Shocker your link says nothing about Linux

        Nice try!<br><br>

        "<i>Since there's not enough users of to be profitable for malware scumbags. You may be less of a target. But you have less compatibility with popular programs and must settle for substitutes, dual boot, or do without.</i>"<br><br> Can your Windows machine run Linux apps? can it run Mac apps? I think your point is worthless. I can however run most Windows apps thanks to utilities such as Wine, Cedga, Win4Lin and others. What cross platform utility do you have to make use of Linux apps? hmmmm.... didn't think so. I will say thought open source community has made nice in roads in the world of Windows.... Who needs proprietary software?<br>
        http://osswin.sourceforge.net/
        devlin_X
        • Duh?!?

          Why would you want to run shareware quality Linux apps on a Windows machine for gods sake?

          I don't know where you people get the idea that people want Linux apps, or most open source software for that matter. It's 90% crapware and nobody except the amateurs on this site want it.

          I'll take paid for software over crapware-apps any day of the week.

          Oh, and maybe those in Linux-denial mode could explain what OS shell that person in the link used to get the Windows desktop looking like that. My Windows taskbar certainly doesn't look like it (in either XP or Vista), but when I used Linux, it looked much more like that. 4 virtual desktop areas, looks like Linux to me.

          Or aren't you clued up enough to recognise GUI details? Or maybe you are and that's the whole point?
          LeeC
          • Of course...

            ...it was a Linux machine. He said so.

            Probaly he was using the Linux machine to investigate it because he could download the Trojan without worrying it might actually do some damage.

            As to paidfor software being better than free/open-source - i assume you'd buy a Lincoln Town Car over a Mercury Marquis, because it costs more and therefore must be better. (Clue: Town Car and Marquis are just Ford Crown Vic with fancier trim and doodahs.)
            fairportfan
          • Shareware quality apps?

            That is a bunch of bunk.

            You can continue on paying your huge premiums for software if you wish, and paying the tax every time a new upgrade comes out. Open Office open source and love it. Truecrypt love it. Gimp, Aptana, XMind, Password Safe, Firefox, Thunderbird, Virtualbox, and more. In fact all of these I have listed are Windows compatible as well.

            I am not going to go into a pissing match over what is good for industry or not, as every industry is different. The fact is whether you are running Windows, Apple, or a *nix or BSD kernel, each can be equally productive. Having flame wars over it is not productive. Several of Disney Pixar movies were made and produced using linux. many of the MINOS researchers run linux, others use Windows and Apple.

            Sorry but I don't think that there is a one size fits all. And the ability to run a app on a given platform lies with the dev. Any software written for Windows could be written to run just as well and identically on other platforms and Vice Versa.

            So the Flame war is artificially created.
            Snooki_smoosh_smoosh
    • Will somebody PLEASE write a virus for *nix

      Will somebody PLEASE write a virus for *nix / Mack so we can quit hearing this kind of crap from fanboiz
      dmarston
      • Here.

        http://www.geekzone.co.nz/foobar/6229

        Do it yourself, it's easy.
        kozmcrae
      • They already have them...

        The issue is trying to find them for *nix.

        Mac's can easily get a few that are floating around right now.

        The main issue is social engineering the end-user to install them with root privilages.
        dayjm
  • Of course, if you had a decent backup regimen...

    ...this wouldn't be such a problem.
    JohnMcGrew
    • Backup

      yes, yes, yes
      lynnguist
  • The seriousness of this problem is being overly exaggerated

    People do have a choice. They can avoid this problem entirely if they want. If they choose to expose themselves to software abuse it is their choice and we must respect that.
    InAction Man
  • RE: Scareware meets ransomware:

    DOA. The user would need to get infected first, Microsoft Windows prompts you if you want to run any file before actually opening them. Plus the fix is already out. Malware writers waste their time on Windows as its security has proven to beat them every time.
    Loverock Davidson
    • Well for users who understand the security

      I spent two hours this sunday fixing a friends computer after "somehow" installed antivirus 2009 which then installed a plethra of other crap.
      Been_Done_Before
      • Hence the reason...

        the UAC is useless.
        Dave32265
        • UAC is unsafe.

          People will click Yes anyways. If a site tells
          them they are getting free emoticons, they
          believe they are getting free emoticons.

          In Linux, even when the user accepts it, it
          doesn't do anything, because it does not have
          the privileges. Besides, it's hard to convince
          a Linux newbie to run it under root, since he
          probably won't even know how to get there.
          Security by obscurity might not be good, but at
          least better than the Windows protections.
          jamsoftgamedev
    • Right...

      That's why this isn't a problem.

      I believe that Dancho's point is that the malware authors are getting ever more crafty in their approaches to parting a fool and his money.
      Timpraetor
    • RE: Scareware meets ransomware:

      @Loverock Davidson: Uhm, it's the scripting/java tools built into most browsers (and the Chrome "sandbox" was already broken out of not once, but twice, using these) that allows most infections of scareware/ransomware. I've seen far too many of such on all kinds of machines. If third party tools/helpers/plugins allow a macro/script language to run and create/DL files on the users machine, such <i>will</i> be exploited.
      RyuDarragh