Websense warns of cyberattack that holds files hostage

A hacker has apparently found a way to encode computer files and hold them hostage until the intended victim pays for a decoder tool to unlock the files.

The original infection occurs when the user visits a malicious Web site that exploits a vulnerability in Microsoft's Internet Explorer Web browser, according to San Diego-based Websense, which uncovered the extortion attempt.

"We had a report from the field, but [we] do not divulge what our source for that is," said Dan Hubbard, senior director of security and research at Websense. "What happened was after doing some forensics on the actual computer that was infected, we noticed that the user visited a Web site that has since been shut down. And the site, through an Internet Explorer vulnerability, downloaded some code onto the machine and ran it without user intervention."

Hubbard said the sole purpose of the infection was to go to a second Web site and download another piece of code.

"So first the Trojan [horse] downloader infected the machine, then the downloader went to a second Web site and downloaded the new code and then started its process," Hubbard said. "It goes through and looks at your hard drive for around 12 different file types, including documents, photos, databases, Zip files and spreadsheets, and if it matches those file types, it actually encodes the data."

According to Hubbard, the malware goes through all drives on a machine, whether they're removable or not, and at the end of the process deletes itself -- leaving behind a text file with instructions on who to contact to have the files changed back to a readable format.

"In this particular case, the end user did contact the third party, and there was a request to deposit US$200 in an E-Gold account, but that did not happen," he said.

Instead, Joe Stewart, a senior security researcher at Lurhq, looked into the case after hearing about it and contacted Websense with a solution. "I took a look at the encryption scheme and found that it was a pretty trivial and easy to break encryption scheme," Stewart said. "So I wrote a decryptor for that and put that information out there for our customers -- to tell them that if they get hit by this, we can decrypt it and you don't have to pay this guy ransom."

That solution might not work next time, experts said.

Although this hacker used a weak form of encoding, someone in the future could use a much more sophisticated level of encryption, Hubbard said. Or a hacker could remove the files or transfer them to another location and try to extort money for their return, he said.

"This was not a very sophisticated technique, although it was a fairly ingenious idea," Hubbard said.

Stewart agreed.

"If this evolves, and the person keeps getting more and more money from it -- and if they see the need for more advanced encryption -- they could put it in, and we wouldn't be able to break it," he said. "All we would be able to rely on is getting the key from the original Trojan author, which means you would have to either pay the ransom or law enforcement would have to actually catch the guy and get the key off his hard drive."

"It's like someone coming into your house, putting all of your valuables into a safe and not telling you the combination until you pay them," said Oliver Friedrichs, a security manager at Symantec. "It is a disturbing new trend and really a subversive use of cryptography that we haven't seen in the past. In the past, cryptography has been largely used to protect information. In this case, it's being used to hold your information hostage."

Hubbard said the best protection against this type of cyberattack is staying up to date on latest security patches and making sure users have the latest signatures for the security software on their computers.

"The not-so-obvious is trying to learn about these types of things ... and to know where to go if something does happen," Hubbard said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Linda Rosencrance

Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?