Here’s a new twist on an old malware tactic, in which a victim’s files are encrypted and more or less held for ransom. The malware usually pops up a helpful note or displays a web page that offers software to “fix” the problem.
According to an article in CNET called New Trojan encrypts files but leaves no ransom note, Symantec has identified a Trojan that the company calls Trojan.Ramvicrype. This malware encrypts files on Windows machines, leaving behind directories full of files with .vicrypt extensions. Windows soon begins displaying error messages because the Trojan has encrypted system files as well.
It’s up to the user to do a web search for vicrypt help - a search that may return a web site that sells software to unencrypt vicrypt files.
Of course, that software is probably loaded with more malware - and the victims are paying for it. PC World and Technologizer reported today that malware makers are organized, sophisticated - and targeting users who aren’t running antivirus or security software.
Symantec has developed and posted its own free tool to remove the infection and decrypt the files - it’s available at Trojan.Ramvicrype Removal Tool.
Updated on 4 November 2009: In a Facebook comment about this article, Dale Chun suggested two freemium products that can detect and remove similar malware infections: Malwarebytes or Prevx. These products can handle multiple types of malware, while Symantec’s free removal tool is more specific.
Image by RobertBasil on Flickr via a Creative Commons license.
Related articles on billso.com
- 2 April 2009: Conficker vs DNS
- 17 April 2008: Virtual keyboards and monitoring software foil keystroke loggers
- 2 July 2007: CXOs face malware mail attacks
- 31 October 2006: The top 10 most dangerous online activities
- 6 July 2004: Gartner tells companies to ban iPods from corporate offices
