New "ransomware" that locks up a person's PC is demanding $35 in order to return control to the user, a security researcher has warned this week.
The extortionists tell victims of the Delf.ctk Trojan horse to dial a 900 number, said Alex Eckelberry, CEO of US security developer Sunbelt Software Distribution. That number can be traced to "passwordtwoenter.com," a payment processor also used by hardcore pornography websites to charge for access to their content, added Eckelberry.
Users infected with the Trojan horse see a full-screen message posing as an error generated by Windows, according to screenshots posted by Eckelberry on the Sunbelt company blog earlier this week.
"ERROR: Browser Security and Antiadware [sic] Software component license exprited [sic]," the message reads. "Surfing PORN, ADULT and some other kind of sites you like without this software is dangerous and threatens with infection of your computer by harmful viruses, adware, spyware, etc."
The bogus update window includes a "Click to activate new license" button that in turn brings up another screen, this one telling US users to dial a 900 telephone number and enter a personal identification number (PIN). If the 900 number doesn't work, the page instructs users to dial alternate numbers - one in the West African nation of Cameroon, the other a satellite telephone number.
"You're completely locked out of the system" after the Delf.ctk Trojan horse installs and runs, said Eckelberry. The only way to regain control is to pay up by dialling.
A search on Google for the 900 number returns results pointing to passwordtwoenter.com, a website registered to Global Voice, a company based on the island nation of the Republic of Seychelles. The IP address used by passwordtwoenter.com is shared with similar domains, including "pintoenter.com" and "chargemyphonebill.com," which are also registered to Global Voice.
Global Voice did not respond to email sent to the address listed in the domain registration information for passwordtwoenter.com.
Ransomware, a term used to describe malware that tries to extort money from users after an infection - usually to return access to suddenly-encrypted files - is rare, but not unknown. The last outbreak of any note was in July 2007, when another Trojan horse, dubbed "GpCode," demanded $300 to unlocked frozen files.