1. /
  2. Security Response/
  3. Trojan.Ransomlock

Trojan.Ransomlock

Risk Level 1: Very Low

Discovered:
April 15, 2009
Updated:
May 2, 2014 11:29:29 AM
Also Known As:
Trojan:W32/Agent.AF [F-Secure]
Type:
Trojan
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
Trojan.Ransomlock is a detection for Trojan horse programs that lock the desktop of a compromised computer making it unusable.

The threat may arrive on the compromised computer by various means, such as visiting malicious sites, by opening untrusted links or advertisement banners, or by installing software from untrusted sources.

Various functions on the compromised computer are modified, ranging from inhibiting access to the task manager to altering the master boot record (MBR) so that the operating system cannot be executed.

These programs attempt to convince the user to pay money in order to have their computer unlocked and use a variety of different techniques in order to encourage the user to pay the ransom.


Infection

This threat is distributed through several means. Malicious websites, or legitimate websites that have been compromised, may drop the threat onto a compromised computer. This drive-by-download often happens surreptitiously. Another method used to propagate this type of malware is spam email containing infected attachments or links to malicious websites. The threat may also be downloaded manually by tricking the user into thinking they are installing a useful piece of software. Ransomware is also prevalent on peer-to-peer file sharing websites and is often packaged with pirated or illegally acquired software.


Functionality
The primary objective of the threat family is to make money. These programs lock the compromised computer, preventing the user from accessing their files. Once the computer has been locked, the threat displays a notice page requesting money to be paid in order for the computer to be unlocked. The amount of money requested can vary from a few dollars to several thousand dollars. Payment is usually requested by an anonymous online payment method or by texting a premium rate phone number.

It is worth noting that if the ransom is paid, there is no guarantee that the malware authors will unlock the compromised computer.

The programs often claim to be from governmental or law enforcement agencies, and tell the user that illegal or compromising material has been found on the computer.



The Trojan may be installed manually or without the user's knowledge. Once installed, the threat may execute every time the computer is started, even in safe mode. Input devices, such as the keyboard and mouse, may be disabled to prevent interaction with the compromised computer.

The message displayed by the threat can be localized depending on the user's location, with text written in the appropriate language. Depending on the variant, the Trojan may only display a message in the language spoken by its authors, or the country that was intended as the main target of the attack.


Video
For a concise overview explaining how these threats work along with some basic advice on how to avoid them, Symantec has produced a short video.





GEOGRAPHICAL DISTRIBUTION

Symantec have observed the following geographic distribution of this threat family.






PREVELANCE
Symantec have observed the following infection levels worldwide in the past seven days.




SYMANTEC PROTECTION SUMMARY
The following content are provided by Symantec to protect against this threat family.


Antivirus (Signature)


Antivirus (Heuristic)


Browser Protection
  • Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version April 15, 2009 revision 016
  • Latest Rapid Release version June 24, 2014 revision 006
  • Initial Daily Certified version April 15, 2009 revision 016
  • Latest Daily Certified version April 24, 2014 revision 023
  • Initial Weekly Certified release date April 15, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: 50 - 999
  • Number of Sites: 3 - 9
  • Geographical Distribution: Medium
  • Threat Containment: Moderate
  • Removal: Moderate

Damage

  • Damage Level: Medium
  • Payload: Displays a message demanding payment to restore the compromised computer to its previous condition.
  • Degrades Performance: Locks the desktop making the system unusable.

Distribution

  • Distribution Level: Low
Writeup By: John-Paul Power

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver