Skip to main content

New Wave of Dangerous Ransomware Engulfs the Internet

December 1, 2010

Kaspersky Lab warns users about two highly dangerous new ransomware programs sweeping across the Internet that could potentially wipe data from victims’ computers

Kaspersky Lab warns users about two highly dangerous new ransomware programs sweeping across the Internet that could potentially wipe data from victims’ computers.

One of the malicious programs is a new variant of the infamous GpCode Trojan. It targets files with a wide variety of extensions, including doc, docx, txt, pdf, xls, jpg, mp3, zip, avi, mdb, rar, and psd, and encrypts them without the user’s authorization. The corresponding Trojan-Ransom.Win32.GpCode.ax signature was added to Kaspersky Lab’s antivirus database on 29 November.

Trojan-Ransom.Win32.GpCode.ax spreads via infected sites, exploiting vulnerabilities in Adobe Reader, Java, Quicktime Player, or Adobe Flash. Unlike previous versions of GpCode that date back to 2004, this Trojan doesn’t delete files after encrypting them, but instead overwrites data in the files making it impossible to use data-recovery software to restore the deleted data. The program uses the strong RSA-1024 and AES-256 crypto-algorithms.

Kaspersky Lab experts are carefully analyzing the new version of GpCode and investigating possible ways to restore data on affected machines.

The second ransomware program, detected by Kaspersky Lab earlier this week, is a Trojan that infects the master boot record (MBR) of a compromised computer. Two signatures were added to the company’s antivirus databases: Trojan-Ransom.Win32.Seftad.a for the dropper and Trojan-Ransom.Boot.Seftad.a for instances when the MBR is infected. After infection, the malicious program overwrites the boot area before demanding that the computer’s owner makes a payment for a password that will restore the MBR. If an incorrect password is entered three times the infected computer reboots and the Trojan repeats its demand for money.

Users of Kaspersky Lab products with up-to-date antivirus databases are protected from both of these ransomware Trojans. The company also recommends that users regularly update all the software installed on their computers in order to close any vulnerabilities.

The results of Kaspersky Lab’s analysis of both ransomware Trojans is available at: www.securelist.com.

New Wave of Dangerous Ransomware Engulfs the Internet

Kaspersky Lab warns users about two highly dangerous new ransomware programs sweeping across the Internet that could potentially wipe data from victims’ computers
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases