Blog for hpHosts, and whatever else I feel like writing about ....

Monday 8 June 2009

FireEye: Ransom - Pay me more - Part II

Ransom - Pay me more - Part II

I recently got an important clue, how this ransom deal takes place between a victim and these cyber criminals. One of reader who became victim of this ransomeware dropped an email to this ransom guy at the address otrazhenie_zla@mail.ru for his files recovery. This was the response by that guy:

"Transfer into account pay pal 50 dollars here email pay pal otrazhenie_zla@mail.ru'

Interestingly, instead of asking him standard $10 ransom (as mentioned in his earlier message) he asked him for $50, typical criminal mentality, isn't it? Unfortunately his greed doesn't end here. This malware instance came bundled in a fake 'SWF video codec' file. Upon execution this setup file installs three different malware on the victim machine including this ransomware.


1. 5f9927ee59b4881a2ce8634332f63fa8

Trojan Encoder, the one that encrypts the user file and asks for ransom in return.

2. 010d7b79d002d747f420a7880f89ee38

A password stealing Trojan that uploads user personal information on a remote command and control server (antivirusubdate.no-ip.biz) using obfuscated protocol on TCP port 3460.

3.010d7b79d002d747f420a7880f89ee38


Read more
http://blog.fireeye.com/research/2009/06/ransome-pay-me-more-part-ii.html

No comments: