Original URL: http://www.theregister.co.uk/2009/03/25/scareware_ransomware/
Scareware package incorporates file ransom trickery
Double dipping
Posted in Crime, 25th March 2009 11:42 GMT
Free whitepaper – The Dell Management Console and ITIL
Cybercrooks have combined two threats with a fake anti-virus package that holds files for ransom.
The malware comes in the guise of a utility called Antivirus2009 that claims to have located corrupted files on affected systems. Prospective marks are told they are need to download a package dubbed FileFix Professional to recover these files.
In reality, Antivirus2009 is responsible for encrypting the supposedly corrupted files, targeting documents in a blighted user's My Documents folder. FileFix Professional unscrambles this content but only after users pay $50 for software of dubious utility.
Antivirus firms are adding detection for both dubious packages. Computer help forum BleepingComputer.com has detailed instructions (http://www.bleepingcomputer.com/virus-removal/remove-filefix-professional) on how to remove FileFix Professional from infected systems. That advice alone isn't enough to recover scrambled files. Fortunately, however, web security firm FireEye has established a free Web-based service to recover encrypted files, as explained in its write-up of the threat here (http://blog.fireeye.com/research/2009/03/a-new-method-to-monetize-scareware.html). Trend Micro has screenshots of the malicious utility FileFix Professional here (http://blog.trendmicro.com/data-for-ransom-syndicates-strike-online).
The incorporation of scareware and ransonware tactics represents an evolution in the development of rogue security (AKA scareware) packages. The number of rogue anti-malware programs in circulation rose from 2,850 in July to 9,287 in December 2008, a three-fold increase in the space of just six months, according to the latest figures (http://www.antiphishing.org/reports/apwg_report_H2_2008.pdf) from the Anti-Phishing Working Group. ®