New computer scam holds your info for ransom
'Trojan' encrypts files, demands $200 for key
By Marsha Walton
(CNN) -- Computer criminals have launched a new type of online attack that steals information, encrypts it, then demands a ransom from the computer owner to get the material back.
But security analysts believe the ransom demand will lead to the arrest of the crooks.
Encryption converts information into a code so that people cannot read it. A secret key or password is required to decrypt, or decode, the material.
Security experts said such a scheme has been around awhile, but in the past has usually been attempted by company insiders or the infamous "disgruntled former employee" with computer skills.
This is the first time that an automated program has been designed to attempt the crime, according to Mark Rasch, chief security counsel for Solutionary Inc.
"I'd be very surprised if the FBI does not catch this guy," said Rasch, who spent a decade directing the U.S. Department of Justice computer crime unit.
That's because a demand for payment means a victim must somehow interact with the "filenapper," increasing the possibility that some type of electronic "trail" will lead back to the culprit.
"The bad guy will have gone through many, many steps to conceal his identity, through pirated or hacked accounts," Rasch said.
But, he said, the e-mail is ultimately going to be associated with an IP (Internet protocol) address, and the criminal will have to have some way of collecting the ransom.
The type of attack, known as a Trojan, was first identified by the San Diego, California-based security company Websense Inc. two weeks ago.
"We have had only one report from the field on this attack," said Dan Hubbard, senior director of security and technology research at Websense.
"We did find a report of a similar attack that was posted from a person in Russian on a newsgroup. The person claimed they had been victimized early this year," he said.
An accurate number of victims may never be known, because many people may be so embarrassed that they just pay the thief and never report it to authorities.
Rasch estimated the number of people targeted is probably in the hundreds, compared to many viruses and worms that can impact millions of people.
Researchers at PandaLabs, a computer security company based in Madrid, Spain, said the program can encrypt files such as Microsoft Word documents, HTML (web pages), JPGs (images) and XLS (Microsoft Excel spreadsheets), and from compression programs ZIP and RAR.
After the encryption is complete, the original information is removed and a text message asking for $200 in ransom is attached.
While the tactic is new and somewhat clever, Rasch says the same type of diligent personal and corporate security efforts used to combat other computer malware can go a long way to quash this threat.
It's the same short but critical list that computer security companies suggest with every Internet virus or worm: update anti-virus, anti-spam, and anti-spyware software on a regular basis.
Use a personal or corporate firewall. Don't download material from sites you are not certain about. Never click on an e-mail attachment you are not expecting, or from an unknown source.
The ransom scam targets a security hole in Windows software, but a patch, or fix, for that vulnerability has been available for months.
It is usually possible to set up a computer so that security updates are downloaded and installed automatically.
Rasch said what may be most important to remember in combating this threat is to back up critical material.
"And backing up does not mean putting another copy on your hard drive!" he said.
"When people are caught in a fire, what do they race to save? Photographs that are irreplaceable. And where are many people's photos these days? On their computers."
Physical backups should be made of all critical data, he said, and stored in a different place than with the computer.