Antivirus2009 Holds Victim’s Documents for Ransom
Security experts are warning that some new “scareware” programs, software that tries to frighten consumers into purchasing bogus security products, also encrypt the victim’s digital documents until he or she agrees to pay a $50 ransom demand.
Newer versions of scareware family Antivirus2009 warn users in a fake Windows alert that files in the “My Documents” folder are corrupt. The program them directs the victim to download a program called “FileFixerPro” to fix the supposedly corrupt files.
In fact, this version of Antivirus2009 encrypts or scrambles contents of documents in that folder, so that only users who pay $50 for a FileFixerPro license can get the decryption key needed to regain access to the files in their My Documents folder.
A number of security forums have chronicled the rise of this nasty development in scareware evolution. This thread, over at the “devshed” Web development forum, includes cries for help from a number of people who have apparently had their documents scrambled by this threat.
There is good and bad news here. The good news is the nice folks over at BleepingComputer.com, a very active computer-help forum, have posted detailed instructions on how to remove FileFixerPro. The bad news is that these instructions won’t help get a victim’s documents back.
But there is more good news: The folks over at FireEye have figured out how to decrypt documents scrambled by this thing, and have set up a free Web-based service where victims can upload documents to have them unscrambled. Alex Lanstein, senior security researcher at FireEye, said he hopes his team can soon release a tool users can download to help decrypt the entire My Documents folder.
This is the first time I’ve ever heard of scareware being bundled with so-called “ransomware,” but to some extent, purveyors of these scareware programs have been holding host systems hostage for several years now, bombarding users with incessant and increasingly deceptive messages about non-existent threats on the user’s system, prompts that only stop once the victim has relented and agreed to pay a license for the scareware program.
This is an alarming new feature for scareware, which is one of the fastest-growing families of online threats out there today. According to a report released today by the Anti-Phishing Working Group, an industry consortium aimed at tackling cyber crime, the number of new rogue security programs increased 225 percent from 2,850 in July to 9,287 in December.
Alas, there is even more bad news: The crooks behind this scam could begin incorporating more robust encryption.
“If they had used a strong encryption method, such as something based on openssl toolkit, there wouldn’t be a prayer of decrypting the files without paying,” Lanstein said.
By Brian Krebs
![[Google]]( http://www.ccnetworking.com/wordpress/wp-content/plugins/easy-adsenser/google-light.gif)