"This is the worst attack I've ever seen," says Jacques Erasmus, Prevx's director of malware research and a former hacker who has proved a worthy opponent for the Glamorous Team. He's spent days trying to help victims like Tom and Mike recover their files.
"We received a first sighting of this around eight hours after it was released via spearphished emails to a targeted audience of people looking for work using the monster.com website," says Erasmus. The attack may have used an email list stolen from Monster or a similar job-seeking service.
"[Normally] to get an uptake of 1,000 machines, you'd need to send the email to around 75,000 people. However, because this email was highly targeted, the conversion ratio would be much better. Therefore I believe it was sent to around 10,000 email addresses," says Erasmus. A secondary wave of infection involved pornography and a malicious website in Panama. Only people in the USA were affected, except for one person in Saudi Arabia.
The software was a password-stealer trojan with a new ransomware feature and three functions: encrypting files on the victim's hard disk; stealing browser data and silently sending out stolen information to a website on a shared Yahoo server. No documents were taken - just data from browser sessions - although panicked users who deleted the read_me.txt messages with the randomly generated encryption key lost their files forever.