Thread Trend begin with Ransomware (Filefix case)
Posted by Hari Saryono on 3 April 2009
Scareware, which scans your computer, finds nothing, then cons you into sending in money to fix a fake vulnerability, has been done before. However, the latest version of Vundo does this and adds a twist. Vundo is "ransomware." It uses polymorphism to mask the executable every time it runs. The software searches your computer looking for PDFs, JPGs and Microsoft Word documents. Once identified, the software encrypts them, then prompts the user to purchase FileFix Pro 2009 to decrypt the files, all for a mere $40.
FireEye, a company that protects critical data, IP and networks against zero-day attacks, has been able to decrypt the files that Vundo encrypts. A researcher at the company has written a Perl script that will decrypt any file Vondu encrypts and make it readable again, free of charge (see this latest post).
What bothers me with this type of ransomware tactic is that this software actually does damage to your files and then tries to charge you to fix them. I am sure that it won’t be long until someone writes ransomware that uses strong encryption, like sha256, that encrypts your whole hard drive and holds it captive, all for a mere $1,000.
I think the business implications of this are obvious. If a large company were to become infected, it could be catastrophic. What complicates the detection of this Trojan is that it’s polymorphic, meaning that it can change its function and footprint every time it runs.
FireEye has made its decryption application available to the public. However, you have to submit your files to them for decryption. I think this is ridiculous. So you either have to show Vundu "The Money" or FireEye "My Files"? I found several tools that can decrypt these files on your PC or server.
Aron Atwater from Dalhousie University wrote this batch decryptor:
Symantec has released a file decryptor:
As with all software like this, run it at your own risk. The lesson for organizations is this: Keep your users educated about the risk of opening e-mail from unknown sources. Users are our weakest link, but our loudest complainers when something goes wrong. Even if it was their fault.