Ransomware: Extorting Money by Panic and Pressure

We have blogged in the past about Ransomware being a growing menace and that ONE SHOULD NOT PAY RANSOM if affected. Ransomware has now raised its ugly head up once again. Writers of Trojan.Ransomlock.G (a.k.a. Reveton) have updated their locking screen to induce panic and to blackmail the user into paying ransom.

Recently, blogger Kafeine found a ransomware sample which threatens to format and wipe all the documents on the compromised system if the user attempts to unlock the computer manually.

Figure 1. New Trojan.Ransomlock.G lock screen

Symantec Security Response has analyzed the malware sample and did not find any code related to this wiper functionality. In our tests we also manually removed the ransomware from the system and unlocked the computer without any formatting or files being deleted.

If we take a close look at the image, there are three major changes to the lock screen compared to the lock screen the attackers were using a month ago.

Figure 2. Updates to the Trojan.Ransomlock.G lock screen

The following changes were made:

  1. Attackers added a fake warning (to format the operating system and delete all documents)
  2. Attackers increased the ransom amount (from $200 to $300)
  3. Attackers introduced a countdown timer (to allow only 48 hours to pay the ransom)

This is an attempt to extort money from computer users by taking advantage of human weakness when under panic and pressure. If you are affected by Trojan.Ransomlock.G, DO NOT PAY THE RANSOM. Instead refer to our removal instructions. For more details on Ransomware read our whitepaper.