Fortinet Blog | News and Threat Research

The malware shares numerous traits and follows the same trajectory as fake or rogue antivirus: Many ransomware programs come equipped with a professional-looking GUI; once the application is installed, it launches the GUI and conducts a bogus computer scan. The software reveals the victim’s system is infected with malware. The fake AV asks for payment to “clean” the system, enticing users to submit credit card details and leaving them susceptible to exploits and identity theft.

Where ransomware diverges from this fake AV model is in not giving the victim a choice regarding installation. A rogue AV product that acts as ransomware, for example, will install automatically and demand payment or information to be deleted. Ransomware, while a prolific and well-established form of malware, comes in lower on the severity totem pole than Trojans, APTs and other targeted threats.

However, FortiGuard researchers have discovered a new strain of ransomware that’s sourced to the Sasfis botnet, notorious for distributing FakeAV, with a variant that extorts money from its victims. Unlike similar attacks, the Sasfis ransomware is indiscriminate in its ability to infect files, compromising office documents, compressed, text, source code, pictures, audio and video files. Once it infects the files, the ransomware copies itself to the victim’s desktop and, unlike other malware that attempts to cloak its existence, it indicates its presence with the name  “Encryption Virus.exe.” Ransomware communicates behinds the scenes, sending the victim’s information to a central server. When it makes itself known to the victim, it exhibits a window displaying a ransom message that stays on top of other applications.

In short, it’s a nasty piece of malware that will require a lot of time, effort and cost to undo should it make its way onto a victim’s machine. And with Sasfis behind it, researchers expect it will propagate rapidly to give its financers an exponential boost.

There are ways to reduce infection risk, the most effective being proactive prevention – learning how to spot ransomware and fake AV before becoming infected. Users should familiarize themselves with their current AV solution and ensure the software is updated with all available patches. According to Fortinet researcher Raul Alvarez, users should also be aware that no reputable AV company will force a user to pay to conduct a security scan if they already have the latest updates installed on their machines.

If, in a moment of weakness, a user downloads the program, there are ways to remediate the damage. First, the user needs to conduct a scan with a legitimate AV product. If the malware prevents the AV from running or being installed, users should restart their system in safe mode before conducting a scan. Users can also conduct an offline scan, which cleans the operating system for a comprehensive remediation. If credit card details were submitted, users should cancel their card and scrutinize their bill for charges. It might be a good idea to request a copy of their credit report to ensure nothing slipped under the radar.

Going forward, here a few tips, provided by Alvarez, that may prevent users from falling prey to ransomware tactics:

* Always update your AV software from valid sources

* Avoid running applications sourced to e-mails or downloaded from the Internet if you are not sure they are clean

* Don’t give away financial information by submitting details into a suspicious Website

* Always scan your system using your familiar, legitimate AV software