Trojan Cryzip extorts decryption fee | Tech News on ZDNet

A Trojan making the rounds encrypts victims’ files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group.

This so-called “ransomware” Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989.

Lurhq researchers noted Tuesday that the appearance within a year of two encryption Trojans may indicate they are part an emerging trend in malicious software.

“Last year, we saw the PGPcoder, and anything that shows itself to be a viable way to make money, usually people start jumping on the bandwagon after that,” said Joe Stewart, senior security researcher for Lurhq.

The Cryzip Trojan will search for files, such as source code or database files, on infected systems. It then uses a commercial zip library to store the encrypted files. Security researchers, however, have yet to determine how the Trojan is distributed, noting it could come from a number of sources, including malicious Web sites, or enter through a previously created backdoor on a virus-infested computer.

I knew about the one in the last 10 months but I didn’t realize there had been one previous to that (since 1989) as noted in the article.

Here’s Symantec’s info on Trojan.cryzip on this baddy:

Trojan.Cryzip is a Trojan horse that creates password-protected ZIP files on the compromised computer. It then issues a ransom demand to recover any affected files.

And check out the list of file types it encrypts:

Searches for files with the following extensions on fixed drives installed on the compromised computer, avoiding drives of type “UNKNOWN” and “CD-ROM”:

* .arh
* .asm
* .arj
* .bas
* .cdr
* .cgi
* .chm
* .cpp
* .db
* .db1
* .db2
* .dbf
* .dbt
* .dbx
* .doc
* .dpr
* .dsw
* .frm
* .frt
* .frx
* .gtd
* .gz
* .gzip
* .jpg
* .key
* .kwm
* .lst
* .man
* .mdb
* .mmf
* .mo
* .old
* .p12
* .pas
* .pak
* .pdf
* .pgp
* .pl
* .pwl
* .pwm
* .rar
* .rtf
* .safe
* .tar
* .txt
* .xls
* .xml
* .zip

Note: The Trojan also avoids folders containing the strings “SYSTEM” and “SYSTEM32”.

It’s still a low risk threat according to Symantec, but being the second one in 10 months, I can certainly see why the article mentions a possible trend developing.

Backups have always been important, but it looks like they could end up playing even more of an important role than ever before.

Tag Cloud

%d bloggers like this: