New malware freezes computer until ransom is paid

By on May 7, 2012, 3:30 PM

The latest trend in malware doesn’t just flood your computer with annoying advertising or attempt to steal your banking information. Instead, it quite literally locks a system down and prevents the user from doing anything on it unless a ransom is paid.

The most recent “ransomware” was detected by abuse.ch and uses a drive-by exploit kit called “Blackhole.” This cheap malware can be purchased via underground forums and infects systems through one or more security vulnerabilities in a web browser or plug-in like Adobe Flash Player, Adobe Reader or Java.

Once infected, the target system becomes locked and users are presented with a bogus region-specific message about why the system is locked and how they can regain control. The ransomware is currently targeting systems in Austria, France, Germany, the Netherlands, Switzerland and the UK.

The UK variety tells the user that illegally downloaded music has been detected on their machine and attempts to incite fear by highlighting penalties that could result from such material. In this example, users are urged to use PaySafe to transfer £50 ($80) to unlock the computer.

Once complete, the system is “unlocked” and unsuspecting users are none the wiser. But in addition to the ransom, this kit installs another piece of malware called Aldi Bot that is used to steal login credentials as well as initiate DDoS attacks.

The malware author is suspected to be of Russian descent since all of the domain names point to a Russian web provider.

As always, the best defense against drive-by attacks is to keep your browser, plug-ins and anti-virus protection up to date.

Briefcase image from Shutterstock.




User Comments: 30

Got something to say? Post a comment
Lurker101 said:

And the quickest and cleanest way to get rid of it is to simply start Windows in safe mode and do a quick system restore to any point before the malware hit.

Guest said:

This isnt really new. Normally they do this under the guise of anti-virus software.

I think if malware creators thought about the consumer more and less about the money they might end up making more money. Instead of just locking down the system they should start by complimenting the user for choosing their malware instead of the competitors malware. Maybe they can make some user-targeted downloadable content. If the user likes music they can download some viruses that play music. Or if the user likes to shop online maybe the malware can show items the user can attempt to buy. I think I could make malware way better than how these other people are doing it. You just need a real business plan.

Xero07 said:

And the quickest and cleanest way to get rid of it is to simply start Windows in safe mode and do a quick system restore to any point before the malware hit.

Yup, had something like this happen before.

H3llion H3llion, TechSpot Paladin, said:

And the quickest and cleanest way to get rid of it is to simply start Windows in safe mode and do a quick system restore to any point before the malware hit.

Aren't malware or other nasties often not affected by system restore and are still persistent when you rollback?

Might as well boot in safe mode and do a virus scan + mbam.

Guest said:

hello Hiren's boot cd :D problem fixed ;)

Guest said:

Yet another reason for backups.

bexwhitt said:

And the quickest and cleanest way to get rid of it is to simply start Windows in safe mode and do a quick system restore to any point before the malware hit.

I think this causes safe mode to blue screen so an live cd or windows vista/7 install dvd is needed to sort this

cliffordcooley cliffordcooley, TechSpot Paladin, said:

Case like this is why I have my system booting to ISO images. One ISO image is Seagate DiscWizard, where I can do a complete system recovery.

Camikazi said:

If I ever got this I would just format and reinstall, my My Documents and Program Files folder are on a different drive anyway. I have nothing I made on my C drive so a simple reinstall will fix it or I can use one of my drive image backups I make every week and go back to before the virus, simple to fix really.

Lionvibez said:

If I ever got this I would just format and reinstall, my My Documents and Program Files folder are on a different drive anyway. I have nothing I made on my C drive so a simple reinstall will fix it or I can use one of my drive image backups I make every week and go back to before the virus, simple to fix really.

And why wouldn't the malware just to your other drives in the same system?

This would only really hurt a noob.

I have image backs of my rig don't use system restore.

i would be back up and running in about 15mins.

Guest said:

How does it freeze your computer? Does it boot up like this web page? Or when you load your internet, does it say you half to pay before you can do anything?

Even if this happens to my computer, I will get it out. I mean, this is easy! I can just boot up in safe mode and remove the virus from there!

TomSEA TomSEA, TechSpot Chancellor, said:

Well, everyone posting here is pretty tech-savvy. Unfortunately, this could nail quite a few people who aren't quite as up on handling something like this. Especially elderly folks who don't do much more than check e-mails and look up pictures of their grand kids on some hosted site.

It would be nice if Interpol or some other multinational agency could track down and nail the scumbags who are doing this. Unfortunately, Russia has provided zero cooperation in stopping this type of hacking although there is proof all over the place that's where it's coming from. Same thing with China.

SNGX1275 SNGX1275, TS Forces Special, said:

If I ever got this I would just format and reinstall, my My Documents and Program Files folder are on a different drive anyway. I have nothing I made on my C drive so a simple reinstall will fix it or I can use one of my drive image backups I make every week and go back to before the virus, simple to fix really.

I too keep Documents, Music, Pictures, Movies, and Program Files on a different drive from my Windows install. But having Program Files on another drive isn't going to help you any. If you have to wipe your "C" drive, all those Program Files are now worthless. They have important parts tied into the registry, which is now gone. Now, if you are going to restore your C from a regular backup, that is fine then and it will work. Just pointing out that if you really were going to just reinstall Windows from scratch, your Program Files aren't safe that way.

I just keep Program Files on a different drive because of habit, back in the 9x and early XP days I'd frequently reinstall the OS, and having my Program Files folder still there just was a convenient list to show me what I had installed. If I didn't want a program anymore (after reinstalling Windows) I'd just delete that directory.

captaincranky captaincranky, TechSpot Addict, said:

Stories like this always make me misty and nostalgic for the "good old days", of IE-6, and "Spyware Sheriff"......

Besides, if you're stupid enough to leave illegally downloaded music on the computer you downloaded it with, you pretty much have this coming, don't you?

PinothyJ said:

Well, everyone posting here is pretty tech-savvy. Unfortunately, this could nail quite a few people who aren't quite as up on handling something like this. Especially elderly folks who don't do much more than check e-mails and look up pictures of their grand kids on some hosted site.
I refuse to have sympathy for people who do not know how to use a computer properly. Call me arrogant but you need a licence to drive a car or own a weapon (in any decent country) and I am of the opinion that if you want to use a computer than you should have the same level of basic understanding. Since there is no test you have to do to qualify for a machine than I see things like this as those tests - adapt or die!

{sigh}...

ikesmasher said:

the title made this sound a lot cooler than it really is.

captaincranky captaincranky, TechSpot Addict, said:

the title made this sound a lot cooler than it really is.

And isn't that exactly what "good journalism", is supposed to do?

Tekkaraiden Tekkaraiden said:

I refuse to have sympathy for people who do not know how to use a computer properly. Call me arrogant but you need a licence to drive a car or own a weapon (in any decent country) and I am of the opinion that if you want to use a computer than you should have the same level of basic understanding. Since there is no test you have to do to qualify for a machine than I see things like this as those tests - adapt or die!

{sigh}...

Plenty of people have a drivers license and can't drive properly so I'm not sure the point you are trying to make.

captaincranky captaincranky, TechSpot Addict, said:

Plenty of people have a drivers license and can't drive properly so I'm not sure the point you are trying to make.
And still more, don't care how they drive.....:eek:

Darth Shiv Darth Shiv said:

And the quickest and cleanest way to get rid of it is to simply start Windows in safe mode and do a quick system restore to any point before the malware hit.

Aren't malware or other nasties often not affected by system restore and are still persistent when you rollback?

Might as well boot in safe mode and do a virus scan + mbam.

Yes I'd think smart malware would be designed to handle safe mode and system restore. Full admin access allows a whole world of holes to exploit!

Guest said:

I live in Wales , UK I had this lock on my laptop about 2 months ago . I 've tried to remove by antivirus at safe mode but nothing happens. Until I'm not going online everything was fine, after when I'm connected to my router and trying to put a web address on my browser the lock has appeared again. I have it to paid £100 to unlock my system.It was so believable , but fortunately I formatted my C and everything was sorted out.

Guest said:

These type of Malware disables explorer.exe shell process from starting which is what gives you your desktop in windows, usually fairly easy to remove. However more advanced ones will install a rootkit to enable re-installation and other nefarious schemes.

The easiest way to remove it other than formatting the drive is to slave to another computer and run the various malware scanners, most AVs don't detect these. Also run a rootkit scanner as they're invariably installed.

As to how you get them? Mostly by visiting compromised websites and using drive by attacks from what I've seen. Problem is you often don't realise you're on a compromised site these days as it could be any website that uses a CMS system.

Camikazi said:

If I ever got this I would just format and reinstall, my My Documents and Program Files folder are on a different drive anyway. I have nothing I made on my C drive so a simple reinstall will fix it or I can use one of my drive image backups I make every week and go back to before the virus, simple to fix really.

I too keep Documents, Music, Pictures, Movies, and Program Files on a different drive from my Windows install. But having Program Files on another drive isn't going to help you any. If you have to wipe your "C" drive, all those Program Files are now worthless. They have important parts tied into the registry, which is now gone. Now, if you are going to restore your C from a regular backup, that is fine then and it will work. Just pointing out that if you really were going to just reinstall Windows from scratch, your Program Files aren't safe that way.

I just keep Program Files on a different drive because of habit, back in the 9x and early XP days I'd frequently reinstall the OS, and having my Program Files folder still there just was a convenient list to show me what I had installed. If I didn't want a program anymore (after reinstalling Windows) I'd just delete that directory.

Actually it makes reinstalling much faster, the installs tend to leave files that match what they were going to install alone, I have done this already and the reinstall took MUCH less time with Program Files on another drive.

Camikazi said:

Actually it makes reinstalling much faster, the installs tend to leave files that match what they were going to install alone, I have done this already and the reinstall took MUCH less time with Program Files on another drive.

Hit enter too fast :P My primary reason for having Program Files on a second drive is cause my boot drive is a 60GB SSD and I tend to have big programs and games installed, the faster reinstall and no loss of preferences and custom files are just a bonus. I only have certain important programs actually on my SSD the rest go to my secondary HDD.

amstech amstech, TechSpot Enthusiast, said:

Lol at the first comment.

System restore is an AWFUL way to remove any type of malware.

Guest said:

If only people didn't browse the internet and did pretty much anything on an administrator's account... I haven't had any serious issues with malware and viruses for years, the only crap I ever got was in the porn account [restricted, of course], which I had to wipe once, and problem sorted. And I download a lot of porn... [LOL]

Barry Kennedy Barry Kennedy said:

A) System Restore is the preferred backup method of viruses and malware, B) most really well-written malware will still load in safe mode by creating a virtual device driver to allow at least some basic functionality when running in safe mode, as well as to shield a portion of it's code from antivirus and anti-malware software.

MBAM isn't nearly as effective in safe mode, as many of the malware infection's components won't be loaded in memory, which is where most well-written exploits take place - in memory. Also, scanning a your drive in another (non-infected) computer (known as offline scanning) is almost completely useless.

MBAM is a great tool, but it's not 100 % effective, and even when it is remediation needs to take place to really clean the system and to close any holes created.

the best methods to protect yourself are:

A) Don't be stupid. Exercise some critical thinking skills before forking over your credit info.

B) frequent backups. Don't really on System Restore. It creates a perfect, encrypted place for viruses and malware to back themselves up, and the OS graciously re-infects itself.

C) Good anti-virus. And by good, I mean good. As in Avast! Free, or Kapersky.

D) Secure your browser...it is the number one infection point.

E) Sandbox, popup blockers, script blockers, flash blockers, etc.

F) Don't be stupid.

If you aren't in the IT field, you probably shouldn't hand out computer security advice, any more than I would ask a mechanic for medical advice. Most of the advice given here is just wrong, with a few exceptions.

I didn't cover every good, basic, common sense security tactic in my comments...but then you can use Google just as effectively as I can.

Google for example - "anti-virus real world protection scores" - it might be eye-opening. You could also try Googling "how can I protect my computer from malware"? Or, "how can I recover from a malware exploit"?

If you do get infected, you can usually head over to bleepingcomputer.com for some very good, very specific advice on how to remove a virus/malware infection the right way, and how to fix all of the traces left behind and problems created.

Finally, know your OS. Know ever executable that should be running on your computer. Learn how to use the task manager to kill processes that shouldn't be running. Learn how to disable things from starting up that shouldn't be starting up.

Most importantly, get a BartPE or WinPE boot disc (mini WIndows on a CD), and download a free copy of SysInternals Suite of tools, every tool of which will run in WIndows PE Autoruns will enable you to hack out almost any startup settings for nefarious programs, and prevent them from loading at startup, even mutating infections.

Nothing hides from Autoruns...not even malware/virus infections hidden as device drivers.

That advice is also nonsense. I've seen Norton Anti-virus ads used as droppers for malware infections.

SNGX1275 SNGX1275, TS Forces Special, said:

[link]

captaincranky captaincranky, TechSpot Addict, said:

A) System Restore is the preferred backup method of viruses and malware, B) most really well-written malware will still load in safe mode by creating a virtual device driver to allow at least some basic functionality when running in safe mode, as well as to shield a portion of it's code from antivirus and anti-malware software.

MBAM isn't nearly as effective in safe mode, as many of the malware infection's components won't be loaded in memory, which is where most well-written exploits take place - in memory. Also, scanning a your drive in another (non-infected) computer (known as offline scanning) is almost completely useless.

MBAM is a great tool, but it's not 100 % effective, and even when it is remediation needs to take place to really clean the system and to close any holes created.

the best methods to protect yourself are:

A) Don't be stupid. Exercise some critical thinking skills before forking over your credit info.

B) frequent backups. Don't really on System Restore. It creates a perfect, encrypted place for viruses and malware to back themselves up, and the OS graciously re-infects itself.

C) Good anti-virus. And by good, I mean good. As in Avast! Free, or Kapersky.

D) Secure your browser...it is the number one infection point.

E) Sandbox, popup blockers, script blockers, flash blockers, etc.

F) Don't be stupid.

If you aren't in the IT field, you probably shouldn't hand out computer security advice, any more than I would ask a mechanic for medical advice. Most of the advice given here is just wrong, with a few exceptions.

I didn't cover every good, basic, common sense security tactic in my comments...but then you can use Google just as effectively as I can.

Google for example - "anti-virus real world protection scores" - it might be eye-opening. You could also try Googling "how can I protect my computer from malware"? Or, "how can I recover from a malware exploit"?

If you do get infected, you can usually head over to bleepingcomputer.com for some very good, very specific advice on how to remove a virus/malware infection the right way, and how to fix all of the traces left behind and problems created.

Finally, know your OS. Know ever executable that should be running on your computer. Learn how to use the task manager to kill processes that shouldn't be running. Learn how to disable things from starting up that shouldn't be starting up.

Most importantly, get a BartPE or WinPE boot disc (mini WIndows on a CD), and download a free copy of SysInternals Suite of tools, every tool of which will run in WIndows PE Autoruns will enable you to hack out almost any startup settings for nefarious programs, and prevent them from loading at startup, even mutating infections.

Nothing hides from Autoruns...not even malware/virus infections hidden as device drivers.

That advice is also nonsense. I've seen Norton Anti-virus ads used as droppers for malware infections.

So, does this mean I should turn off my anti-virus (AVG), BEFORE I surf for porn.....?

Guest said:

Found this rather nasty little ploy attached to one of the many porn sites I frequent...

It pretends to be an INTERPOL announcement that you have been a very bad boy...

It locks up your computer and displays a page that demands a $ 300 payment to unlock it, with voice!

Not really easy to get rid of. Here's how I did...

I installed a second copy of windowsXP and booted to it.

Navigated to the locked up copy then dropped a shortcut to MSConfig.exe into the

my users startup folder. I then backed out and booted to the locked system. When MSConfig started, I then

SET "Selective Startup' and unclicked 'Load Startup Items', hit 'APPLY', 'OK'. Then it locked up.

(it took me more than one try...)

Once successful, it rebooted normally.

Found this item where it should NOT have been...

C:\Documents and Settings\<your user name>\Local Settings\Application Data\build.exe

This was the main workhorse for this pest.

other entries for it can be found here...

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Deleting this registry entry (the whole folder) will remove it from the 'Startup Items' list.

hklm\software\Microsoft\Windows\CurrentVersion\Shared Tools\MSConfig\startupreg\xA2oxSonRUjbG

Deleting 'Build.exe' will work, but I might try renaming an empty text file and setting the 'readonly/system' flags and

replacing the original.

Checking the properties if 'Build.exe' gave a clue to the origin.... "From Russia, with Love...."

characters, not these words. ;)

(sigh)

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.