Security researchers have discovered a dangerous piece of ransomware attacking computers around the world.
Experts at the security firm Kaspersky Lab noted that in a blog post today (Nov. 29) that they have been notified of computers infected by ransomware. A type of malware, ransomware holds a computer system – or its data – hostage against its user, and then demands a type of ransom – wiring payment to the hacker or urging the user to buy a fake removal tool, for example -- for its return.
The new ransomware, called Trojan-Ransom.Win32.GpCode.ax, is similar to the infamous GpCode trojan virus detected by Kaspersky Lab in 2004 and again in 2008. However, whereas Kaspersky Lab researchers said they were able to recover and decrypt data affected by GpCode trojan in 2008, the new GpCode ransomware is a new breed -- and a cause for serious concern.
Kaspersky Lab said that, "unlike the previous variants," the new ransomware "doesn't delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack."
Users who become victims of the new GpCode will often receive a pop-up, or have their desktops backgrounds replaced by this message: "ATTENTION!!!!!! YOUR PERSONAL FILES WERE ENCRYPTED WITH A STRONG ALGORYTHM RSA-1024 AND YOU CAN’T GET AN ACCESS TO THEM WITHOUT MAKING OF WHAT WE NEED!"
The ransom message ends with, "REMEMBER: DON’T TRY TO TELL SOMEONE ABOUT THIS MESSAGE IF YOU WANT TO GET YOUR FILES BACK! JUST DO ALL WE TOLD."
Kaspersky Lab suggests immediately shutting down or restarting your computer if you receive the ransom message, and warns users who receive the pop-up not to click on any links.
UPDATE: Kaspersky Lab has discovered another piece of ransomware, called Trojan.Win32.Oficia.cw. The new malware hijacks a computer's master boot record, and demands a ransom for its return.