DOT hit by 'ransomware' trojan
- By Joab Jackson
- Jul 23, 2007
The Transportation Department ' along with Booz Allen Hamilton, Hewlett-Packard, Nortel Networks and Unisys ' recently had data on some desktop computers encrypted and held for ransom, according to a British Internet security provider.
In a blog on Prevx's site (www.prevx.com), Jacques Erasmus wrote of finding a new variant of malware that encrypts the contents of the user's hard drive. It then shows a message offering to unencrypt the drive for $300.
According to the company's technical analysis (GCN.com/813), the malware, called NTOS.exe, scours a hard drive for sensitive information, encrypts the drive and uploads the content to a secret site.
Employees were tricked into downloading the spyware, which Erasmus dubbed ransomware, by embedding it in an e-mail message or advertisement for job listings, according to the company.
The analysis also concluded that 'the files aren't so strongly encrypted as claimed,' and it is therefore not necessary to pay $300 to decrypt the files. The company has a decryption tool available on its site.
Prevx was able to look at encrypted files uploaded to the secret holding area. The 6,317 files found on the site were tagged with IP addresses, presumably the ones from which they came. One file seemingly originated from the Bladensburg, Md., office of the Transportation Department.
Erasmus said the unencrypted file contained 500K of sensitive data.
Joab Jackson is the senior technology editor for Government Computer News.