Trojan holds PC files for ransom

A unique new kind of malicious threat which locks up files on a PC then demands money in return for unlocking them has been identified. The program, Trojan.Pgpcoder, installs itself on a vulnerable computer after users visit certain websites and then turns files into gobbledegook, holding them to "ransom"

It exploits a known vulnerability in Microsoft's Internet Explorer (IE).

Net security firm Symantec said the program had not spread quickly, but was another example of rising criminal extortion activity on the net.

The malware - harmful software - was first identified by US net security firm Websense.

The program, once it installs itself unbeknown to a user, triggers the download of an encoder application which searches for common types of files on a computer and networked drives to encrypt.

The trojan replaces a user's original files with locked up ones, so that they are inaccessible. It then leaves a "ransom note" in a text file.

Instructions to release the files are only handed over when a ransom fee is paid, according to Websense.

The electronic note left on the computer gives details of how to meet the demands via an online account.

"This attack is yet another indicator of the growing trend of criminals using technology for financial gain," said Kevin Hogan, senior manager at web security firm Symantec.

"This Trojan horse is certainly an example of using cryptography for malicious purposes.

"It is the equivalent of someone coming into your home, locking your valuables in a safe and refusing to give you the combination."

But because it is classed as a trojan, it does not send itself out to contacts that a user might have stored on a computer, like viruses. This limits its ability spread around to high levels, "in the wild", said Symantec.

Computer users are urged to ensure their anti-virus and security software is up-to-date.



If you have any comments on this article or would like to find out more about the work of the Continuity Forum please contact Sara McKenna or Russell at the Continuity Forum directly on 020 8993 1599 or