Having your computer infected with a virus or other malicious software is upsetting enough. But having your files literally held hostage is even worse. A ransomware trojan attack infects the system, encrypts the files, and then demands payment from its victims. One of the first to receive wide publicity was the May 2005 discovery of the PGPcoder Trojan.
PGPcoder was originally propagated via malicious websites which exploited the HTML Help Vulnerability (MS04-023) in order to infect susceptible systems with a downloader Trojan. In turn, the downloader Trojan installed the PGPcoder Trojan. PGPcoder encodes files on local and mapped drives, then demands $200 be paid to obtain a decryption key. In January 2006, antivirus vendor Kaspersky reported the 29th variant of PGPCoder had been discovered.
The Cryzip Trojan was first discovered in March 2006. Cryzip stores documents found on the infected system in a password-protected zip file and extorts $300 in ransom money in order to allow those infected to regain access to their files.
The Ransom.A Trojan, discovered in April 2006, extorted $10.99 payable by Western Union to obtain an unlock key to remove the Trojan. According to antivirus vendor Sophos, the Ransom.A Trojan deletes one file every 30 minutes until the ransom has been paid.
Trojans used for DDoS attacks
The more traditional remote access Trojan has always played a key role in DDoS attacks and many of these DDoS attacks are done for ransom. Victims are generally eCommerce sites that fall into gambling, gaming, or banking/payment categories. Ransom demands generally start small (a few hundred dollars) enticing many victims to simply pay the attacker because the victim believes the cost of the ransom is far cheaper than the cost of thwarting the attack. This is a bad gamble - after initial payment, further demands are typically made with amounts increasing dramatically up to tens of thousands of dollars. Many victims are reluctant to risk media exposure and thus this type of crime tends to go largely unreported.
Unfortunately, at least one commercial company employs tactics that some perceive as reminiscent of ransomware. Victims complain that MoviePass.tv (also known as MovieLand.com and MediaPipe) installs itself without their knowledge and displays intrusive pop-ups demanding a $99 licensing fee.
According to those who have encountered MoviePass.tv on their systems, there is no single uninstall entry in Add/Remove Programs and the terms of the licensing agreement expressly prohibits uninstalling the software. Instead, posters to various self-help forums across the Internet maintain that victims must follow a specific set of MoviePass.tv removal instructions in order to fully remove the program and stop the incessant pop-ups.
Preventing ransomware Trojans
As with traditional forms of malicious software, the best defense is prevention. Don't assume you are safe from attack or won't be a target because of some 'special' circumstance. Firefox users, Mac users, and dial-up users frequently believe their systems are somehow invulnerable, but this is not the case. Take an active role in your own security by following these tips for safety.