Breaking Bad Themed Crypto-Ransomware Found In The Wild

Breaking Bad Themed Crypto-Ransomware Found In The Wild

A Breaking Bad themed crypto-rasomware (Trojan.Cryptolocker.S) is found infecting computers in Australia, according to the security firm Symantec. The malware encrypts images, videos, documents, and more as soon as it infects a computer. Then it demands up to AU$1,000 (US$791) to decrypt these files.

It targets files with the following extensions for encryption:
  • .ai
  • .crt, .csv
  • .db, .doc, .docm, .docx, .dotx
  • .gif
  • .jpeg, .jpg
  • .lnk
  • .mp3, .msi
  • .ods, .one, .ost
  • .p12, .pdf, .pem, .pps, .ppsx, .ppt, .pptx, .psd, .pst, .pub
  • .rar, .raw, .rtf
  • .tif, .txt
  • .vsdx
  • .wma
  • .xls, .xlsm, .xlsx, .xml
  • .zip

Affected computers displays the below ransom demand message (see the image below):

Symantec security response wrote, "We believe that the crypto-ransomware uses social engineering techniques as a means of infecting victims. The malware arrives through a malicious zip archive, which uses the name of a major courier firm in its file name. This zip archive contains a malicious file called 'PENALTY.VBS' (VBS.Downloader.Trojan) which when executed, downloads the crypto-ransomware onto the victim’s computer. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file."

In the initial analysis, Symantec identified that the malware is using Microsoft PowerShell modules to allow attackers to run their own PowerShell script on the compromised computer.

"The malware encrypts files using a random Advanced Encryption Standard (AES) key. This key is then encrypted with an RSA public key so that victims can only decrypt their files by obtaining the private key from the attackers."


Download and install any of the Norton security products. If you are using that, make sure to have the latest virus/malware database.

No comments

Powered by Blogger.