Sophos Cracks Archiveus Ransomware Code

Sophos has cracked the code to unlock files held hostage by Archiveus ransomware. The security software firm warned users on Thursday about the Trojan horse, which encrypts victims' computer data and then attempts to force users into making a purchase from an online pharmacy.

Archiveus is not the first example of ransomware. In March 2006, the Zippo Trojan horse demanded US$300 for the safe return of users' encrypted data. The following month, the Ransom-A Trojan horse threatened to delete stolen files one by one until a ransom was paid.

"Internet hackers are getting bolder in their attempts to steal money from innocent Web users. Once your valuable data is locked away, you may be tempted to pay up to rescue your files, but this will only encourage more blackmail attempts in the future. Companies who have made regular backups may be able to recover easily, but less diligent home users may feel forced to cough up the cash," said Graham Cluley, senior technology consultant for Sophos.

Password Trickery

The Troj/Arhiveus-A Trojan horse (also known as MayAlert) scoops up files in innocent users' "My Documents" folder and creates a file called EncryptedFiles.als. When users try to access their files they are directed to a file containing instructions on how to recover the data.

The instructions begin: "INSTRUCTIONS HOW TO GET YOUR FILES BACK READ CAREFULLY. IF YOU DO NOT UNDERSTAND - READ AGAIN."

The document goes on to explain to the victim that his or her computer caught its software while browsing illegal porn pages, and all their documents, text files and databases in the folder My Documents are archived with a "long password."

The document then tells victims that they cannot guess the password because the length is more than 30 symbols. Password recovery programs, the hacker adds, fail to guess the password even by trying all possible combinations.

Threatening Files

"Do not try to search for a program that encrypted your information -- it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our e-mail account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information," the document reads.

To retrieve their files, which may include personal photographs, letters, household budgets and other content, victims must enter a 30-character password the hackers make available only after the victims make purchases from one of three online drug stores.

Cracking the Code

Sophos experts have determined the password used to encrypt users' data. The password is deliberately made long and complicated by the hackers to discourage people from trying to crack it, Cluley explained. Sophos determined that this is the password: mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw.

Sophos recommends that companies protect their e-mail with a consolidated solution to thwart virus, spyware and spam threats like these, and secure their desktops and servers with automatically updated antivirus protection.

More Ransoms to Come?

"Today, most of the viruses and Trojan horses we see are being written with the intention of making money, and we wouldn't be surprised to see much more ransomware being written in the future," Cluley said. "Attacks are becoming more organized and more malicious, and every computer needs to be properly defended with up-to-date antivirus software, firewalls and operating system patches."

Ken Dunham, senior engineer at VeriSign's (Nasdaq: VRSN) iDefense, however, does not anticipate seeing a sharp rise in ransomware because it is not as profitable as other types of online financial fraud.

"Ransomware can be broken. We've never seen an actual extortion type code become widespread in the wild, so it would not likely spread to a large number of people. It may be limited to just a few users," Dunham told TechNewsWorld. "Automated bots send out e-mail worms that can allow you to steal credentials and credit card numbers of potentially thousands of users."