A slew of ransomware has been detected by a number of security companies in the last few days.
Trend Micro researchers have spotted a ransomware variant that overwrites the Master Boot Record (MBR) – very similar to ones detected last year, and the year before that – and F-Secure, Bitdefender and Dr. Web researchers have all practically simultaneously discovered a variant that encrypts all documents, images and shortcuts.
The MBR-hijacking ransomware prevents the operating system from loading by overwriting the MBR with its own malicious code.
It then restarts the computer and shows a message to the user saying that the PC is blocked and requesting him to pay up 920 Ukrainian hryvnias (around $115) via QIWI payment service to a defined purse number in order to receive the code that unlocks the computer.
The file-encrypting ransomware variant detected by the aforementioned three security firms searches all folders on the system and encrypts almost everything found in them and adds the .EnCiPhErEd extension to the files.
It also drops in every folder a text file named HOW TO DECRYPT FILES.txt, which contains the instructions for getting rid of the ransomware:
And just so the user can’t miss it, the same warning pops up again in a window.
According to F-Secure, this particular piece of malware drops a copy of itself in the system’s temp folder with a random name.
“It creates registry entries to associate the .EnCiPhErEd extension with itself, so that the temp folder copy will be launched whenever those files are run, in order to demand the decryption password,” explain the researchers. “After five attempts it will no longer accept passwords. And it then deletes itself, leaving your data encrypted.”
They believe that the malware is being dumped on unsuspecting users via malicious tags in sites and forums.
Dr. Web researchers warn users who get infected with it not to reinstall their machines or try to restore the encrypted data on their own.
Instead, they ask them to contact the firm’s technical support and attach one of the encrypted files in the email, so that they may send them (free of charge) instructions for reverting the action of the malware.