Cyber Extortionists Reappear, Attack U.S. CompaniesCyber Extortionists Reappear, Attack U.S. Companies

Online extortionists have resurfaced, breaking into users' systems, encrypting their data, and then holding it hostage until a $300 ransom is paid.

A cyberblackmailer tormented users in Russia between 2005 and 2006. Now the extortionists have reappeared, according to researchers at Moscow-based Kaspersky Lab. And it also appears they've branched outside Russian borders.

"It is easy to imagine how upset a user would be when they wake up on a sunny June morning and discover that their files are unusable: either they can't be opened or, in the case of .txt files, they contain garbage," wrote Olga Emelyanova and Denis Nazarov in a blog last year. "And it's not only MS Office documents -- over 80 different types of files are affected."

GpCode, which used RSA algorithms to encrypt the users' data, has popped back up again on the Internet, with users outside of Russia reporting that their documents, photos, and archived files have been tampered with, reported Aleks Gostev, Kaspersky's senior virus analyst, in a blog entry.

Researchers at Prevx, a U.K.-based Internet security company, reported that the attackers have hit major U.S. companies and government agencies. Prevx discovered a Trojan called NTOS.exe. A spokesman for Prevx said they believe the same attackers are using two different tools.

"Prevx feels it is critical for these major organizations and government agencies to block any and all access to their computers and systems by any of the stolen passwords," said Prevx CEO Mel Morris, in a statement. "It's possible that the authors of this malware, and any parties to whom they may already have sold information, could gain what appears to be legitimate access to the compromised systems. This could also lead to further access to additional confidential information."

According to Kaspersky, the users under attack found that their documents were turned into junk data, while a file called "read_me.txt" was left on their systems.

The message, according to Gostev, reads, "You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300 If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data."

The message is signed by the "Glamorous Team."

The malware, which Kaspersky named Virus.Win32.Gpcode.ai, has a limited shelf life, from July 10 to July 15, reported Gostev.

Prevx is making decryption software available free of charge to consumers and businesses whose computers may have become infected and encrypted by the malware. Additional information is available at this Web site.

Prevx researchers, though, say the extortion is just a cover for the attackers' true intent -- harvesting sensitive information, like logons and IP addresses.