New ransom trojan takes data hostage

This interesting trojan is actually not as new as some IT security experts are claiming, as Sophos spotted one – Ransom-A – back in 2006 and there have been anecdotal reports about proof-of-concept trojans in this category for some time before that.

According to Mikko Hypponen, F-Secure's chief research officer, however, this one exhorts users to buy a product to repair the infected file that has been quarantined. "When the W32/DatCrypt trojan infects a computer, it makes it seem as if some files, such as Microsoft Office documents, video, music and image files have been `corrupted', when the files have in fact been encrypted by DatCrypt", he said.

"Next the trojan creates what looks like an authentic message from Windows, advising the user to download and execute the `recommended file repair software' called Data Doctor 2010."

F-Secure says that, if the utility is downloaded and executed, the user receives a message that it can "only repair one file in unregistered version".

In order to repair – or more accurately – decrypt more files, the IT security vendor says that the the user has to buy the product for $89.95. After the money is paid, the software then returns access to the files.

Hypponen said that this trojan works in a very devious way, as the user is probably very relieved to get their files back and may not realise that he has just paid a ransom for their own files.

"The user may even recommend what seems like an excellent file recovery product to his friends. Similar ransomware tricks have also involved the File Fix Pro utility during the past year",  Hypponen explained.

According to F-Secure, these criminal schemes only work if the user has not backed up his important files elsewhere. The company recommends that everyone backs up their important files regularly, either on removable media like CDs, DVDs or USB thumb drives, or with online resources.

What’s Hot on Infosecurity Magazine?