Ransomware is any malware that manages to make a computer system or any of the files on it inaccessible to the user and asks him or her to pay up if they want to regain access. Unfortunately for us all, two separate ransomware variants have been recently detected by Kaspersky Lab experts.
The first one is similar to the GpCode Trojan that has been detected in 2004 and whose variants have been making a regular appearance until 2008. It usually encrypts the data, and the chances of getting it back are low.
This new, improved version overwrites the data that has been encrypted instead of deleting it – making it impossible for the users to recover it with data-recovering tools.
The malware uses various encryption algorithms, and encrypts only part of the data. Kaspersky’s researcher advises victims not to make changes in their system if they notice they have been hit, until a solution to the problem of recovering the data is found.
He also points out that if you see the following text pop up in a text file on your computer or on your background image, you should immediately shut down the computer to prevent at least some of the data to be encrypted:
The second one piece of ransomware found today was one that overwrites the master boot record (MBR), reboots the victim’s computer, and shows this message:
Luckily for the victims, the claim that the drives and files are encrypted is false – the original MBR has only been overwritten with the malicious one, and the original is save on a sector of the disk.
The researcher offers two possible ways to restore the original MBR. First, you should try entering the password aaaaaaciip or aaaaadabia (depending on the variant of the malware), and if that doesn’t work, use Kaspersky’s tool for disk rescue. In any case, don’t visit the website mentioned in the message and pay the $100 to have your data back.