Security Market Segment LS
Thursday, 11 May 2006 18:49

Ransomware demands visit to druggist

Last week, threat researchers at security vendor Trend Micro discovered a new ransomware sample making its rounds. The TROJ_ARHIVEUS.A trojan offers a twist in that the writer takes an indirect approach, forcing the victim to patronise a specific online pharmacy if the victim wants to get de-bugged.

According to Adam Biviano, premium services manager, at Trend Micro Australia and New Zealand, this tactic may be the sign of things to come. “Like any malware, this trojan is just another point in the overall threat landscape”, says Biviano. “But with the culmination of phishing, spyware, and spam, in addition to the ‘ransom note’, it seems to follow the larger emerging trend we’ve seen over the past year, whereby many different types of threats are employed simultaneously.” Biviano adds that as the security industry continues to make gains against spam – the method by which most online pharmacies reach their target audience – these illegitimate businesses will naturally try to find new ways to make money.

TROJ_ARHIVEUS.A works by accessing the files in the user's ‘My Documents’ folder, bringing together the contents into one encrypted file, ‘EncryptedFiles.als’, then deleting the originals. It also drops two new files on the user’s system, which are necessary to restore the original content.

The so-called ‘ransom note’ begins by warning the user not to bother calling police or taking any other defensive action, lest their files be rendered unrecoverable. And like most such messages, the tone is harsh and controlling throughout the bulk of the text.  But what makes TROJ_ARHIVEUS.A unique is the dramatic shift at the end.  The tone suddenly becomes positive and upbeat, with “WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us.”

“Regardless of the tone, extortion is still extortion” adds Biviano, commenting on the note’s message that making a purchase with the online pharmacy is the ‘only way’ to restore one’s files. “Whether through the forced purchase of a product, or by just sending money directly, the writer is still forcing people to pay to regain what is theirs.”

Trend Micro advises users to ignore the message within this malware, and contact their security vendor for the safe removal of this trojan, as well as the recovery of the user’s files. According to Biviano, many of the ransom note’s claims simply are not true. “Through a bit of reverse engineering, we can determine the password ourselves”, said Biviano. “Despite this writer’s claim that the encryption program is no longer on your hard drive, it is – it has to be, since it is necessary to extract the files.”

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Stan Beer


Stan Beer co-founded iTWire in 2005. With 30 plus years of experience working in IT and Australian technology media, Beer has published articles in most of the IT publications that have mattered, including the AFR, The Australian, SMH, The Age, as well as a multitude of trade publications.



Recent Comments