New malware (ransomware) locks your computer claiming you violated the law under SOPA, asks for $200 if you want your files back

Ransomware is a type of malware that locks your computers, encrypts your files, etc. to prevent you from accessing your data and asks for money if you want to regain access. In other words, your data is held ransom, hence the name ransomware.

A new ransomware is floating around the internet pretending to be from the United States government, claiming the target computer has been locked because the user either illegally downloading copyrighted content, software, or child pornography. The randsomware uses the well-known but extinct Stop Online Piracy Act (the act that was never made law) as cover, claiming your computer has been put on the ‘S.O.P.A. Black List’ and your computer is being locked by the ‘Stop Online Piracy Automatic Protection System’.

In classic ransomware style, anyone affected by this ransomware is asked to make a payment of $200 within 72 hours (by purchasing a MoneyPak prepaid voucher) or else risk all their data being erased. Interestingly enough, people who don’t have access to MoneyPak stores (aka everyone outside United States and Canada — MoneyPak is a legitimate business who is unfortunately abused for these types of schemes), you can send a 200 euros through Western Union. I guess us North Americans get a discount since this is our law.

Aside from for money, the ransomware claims that users can be provided with one decrypted files as proof that the hackers can, and will, unlock your files after you pay. I wouldn’t suggest taking them up on that offer — who knows what they will e-mail you back as an attachment.

What makes this ransomware different than others is it tries to create an aura of legitimacy by pretending to the be the American government. Many people will probably think twice before giving into the demands of a ransomware attack if the attack is obvious ransomware. However, this ransomware makes it look like it is the United States government that is locking your computer, which is likely to persuade more people into giving in demands — thanks to fear or otherwise. The media attention given to SOPA/PIPA earlier this year only magnifies this effect.

It isn’t entirely clear how users are being infected by this particular ransomware but it does look like only Windows machines are being infected.

If you are infected, as with most competent ransomware, there really isn’t any way to unlock your computer unless you know how to break the encryption (which likely isn’t going to happen). It is recommended to not pay the thieves because there is no guarantee that they will actually unlock your files and they could very well simply target you again because they know you will pay. The best thing to do when infected is simply wipe your computer and restore your data from backups, assuming you have some. Once you are up and running, make sure to install the appropriate security measures — including but not limited to a competent anti-virus — and avoid shady files and websites.

[via Sophos]

Related Posts

  • Steinerman

    I just fixed a computer that was infected with this mess. Since it wouldn’t boot in safe mode, I had to take the entire hard drive out of that computer and install it as a slave into a second computer (AFTER I did a full partition image backup!).

    Once I did this I was able to use the latest MalwarBytes virus definitions to go in and get rid of the infection. It turns out to be only a very few files. Once they were removed and the hard drive replaced in it’s original computer, everything was fine. All data was intact and customer was overjoyed!.

  • DarthYoda

    So does this actually encrypt your files then? All the FBI / RCMP randsomware ones do it just highjack your screen, not actually changing any of the files on your computer.

  • AFPhys

    Please keep us well informed about this.

    when and if the vector of infection is identified.

  • Kerry

    I wonder if a hard shut down would stop it?

  • DoktorThomas

    Is there anyway to pre-empt the ransom ware take over? Besides endless back-ups?

  • Tom

    I needed to read this last week. What a mess. My most recent drive image is from June. At least I no longer have to worry about the local SWAT team breaking down my door.

  • oldtimer56

    Wouldn’t a (in safe mode) restore back to before the ransom attack work. A friend had one similar from the a group claiming to be the FBI….

  • Peter

    @ mukhi and Mayank: You’re kidding, aren’t you? If the MPAA would have to do with that, the ransom would be at least five times as high. And a constitutional state can’t afford the moral costs of criminal practices like this. That ransomware has most likely been made by other organized criminals.
    b.t.w: I do not know enough about the US-government to tell whether they are organized or not ;-)

  • Mayank

    Who knows maybe the CBI or other such organization itself made such a malware due to the failure of SOPA/ACTA etc..

  • mukhi

    i think this is state-sponsored funded by MPAA. they could not find any other way to stop piracy when SOPA failed.