Wednesday, September 25, 2013

Filecoder: Your data is being held at ransom

Trojans put messages into user files and try to demand a ransom from victims in exchange for a decryptor utility.  Ransomeware is commonly known as a locked screen on your desktop, which tries to scare you into making some kind of payment to regain access to your computer again.

This is an old issue but it is noted to be a significant increase in Filecoder activity this summer.

ESET has detections of this malware category flagged as Win32/Filecoder, Win32/Gpcode, and other family names.

Statistics on ESET LiveGrid telemetry shows Win32/Filecoder detections have risen by 200% just in the last few months.  From January to June 2013 the detections have been at a normal level, but the spike since July is alarming.

Russia is most affected by these malware families, although these campaigns are spreading throughout the entire world.


Infection Trajectory

Cybercriminals that incorporate Filecoder randomware use various methods of getting the malware to victims' systems:
  • Downloads from malware-laden websites
  • E-mail attachments
  • Trojan-downloader or backdoor
  • Manual instillation (this hurts the most)
  • Infection vectors
A scenario of the Win32/Filecoder.Q or the Win32/Filecoder.AA/Win32/Filecoder.W spreads through back-doors such as the Poison-Ivy R.A.T.  Victims are being sent the Poison-Ivy backdoor through email and are enticed to execute the malware onto their computer.  The C&C (command and control) server waits for the commands then the attacker would send the Filecoder Trojan  to the infected mainframe.

The Trojan is not stored as a file on the hard drive, but is ran in the memory of the computer.

There are other cases where the attacker manages to install Filecoder ransomware through Remote Desktop Protocal.   The keylogger is infected and weak passwords enable the attacker to gain full access to the aimed machine.

This "break in" disables antivirus protection while installing malware onto the compromised desktop.
Sometimes manual installation is needed due to the fact that a number of variants call for "user interaction", to set the encryption password.


Encryption Methods

Various encryption methods are used like:
  • Blowfish - a keyed symmetrick block cypher
  • AES - an encryption of electronic data based on the Rijndael cipher
  • RSA - an algorithm for public-key cryptography based on factoring large integers
  • TEA - a block cipher with implementation of a few lines of code
  • Hard coded in binary numbering system
  • Entered manually by command-line or dialog box
  • Randomly created and sent to the machine
It is a good idea to password-protect any anit-malware software you have on your computer to prevent it from being adjusted by an attacker.


It is also equally important to backup your computer regularly, make sure all your anti-virus software is up-to-date and all setting preferences are correct.

Here is a good reference for cybersecurity: How FireEye has redefined cyberdefense on

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Filecoder: Holding your data to ransom - We Live Security
September 23, 2013

No comments:

Post a Comment