Ransom-based malware attacks specific companies

Low ransom request and a self-termination date on the code suggest this is a test attack.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
Robert Vamosi

Various security companies are today reporting targeted attacks made on Fortune 1000 companies over the weekend. What's notable is that documents within each of the affected companies were stolen, encrypted, then the companies were offered a decryption key for a fee. What's odd is that the amount requested as ransom was a mere $300.

Reuters reports companies hit by the attack include Booz Allen, Unisys, Hewlett-Packard and Hughes Network Systems. Security vendors report having identified hundreds more.

The attack works like this. Malware writers target a handful of companies, somehow manage to sneak their code past the corporate antivirus protection, then encrypt what the attackers consider to be significant documents. It's unclear whether the attackers have and are otherwise using the information in the encrypted documents. The attackers then send the companies a note explaining that the document is locked with RSA-4096. The ransom aspect of this attack tends to disguise the fact that companies were compromised in the first place.

Analysis by antivirus vendor Kaspersky finds no trace of RSA-4096 and suggests a weaker form of encryption was used instead. Also, the initial malware used to harvest and encrypt the files has a self-termination date of July 17th, suggesting this was a test run for something larger. Perhaps that's why they're only demanding $300.