Associated Press Technology Writer Ted Bridis tries to stir up panic with an alarming story headlined “Hackers Holding Computer Files ‘Hostage'”:
Computer users already anxious about viruses and identity theft have new reason to worry: Hackers have found a way to lock up the electronic documents on your computer and then demand $200 over the Internet to get them back.
Security researchers at San Diego-based Websense Inc. uncovered the unusual extortion plot when a corporate customer they would not identify fell victim to the infection, which encrypted files that included documents, photographs and spreadsheets.
A ransom note left behind included an e-mail address, and the attacker using the address later demanded $200 for the digital keys to unlock the files.
“This is equivalent to someone coming into your home, putting your valuables in a safe and not telling you the combination,” said Oliver Friedrichs, a security manager for Symantec Corp.
The FBI said the scheme, which appears isolated, was unlike other Internet extortion crimes. Leading security and antivirus firms this week were updating protective software for companies and consumers to guard against this type of attack, which experts dubbed “ransom-ware.”
This is just dumb. “Hackers have found a way to lock up the electronic documents on your computer…”? Viruses and other forms of hostile code capable of deleting, encrypting, scrambling, stealing, or corrupting files have been around for as long as I can remember. An ICSA report documents this significantly more widespread extortion attempt from 1989, for instance:
[T]he Aids Trojan … was concealed on diskettes labelled “Aids Introductory Information Diskette” offering information on the human AIDS virus. The diskettes were mailed worldwide from London in December 1989, and when installed displayed a licence agreement and printed invoices for $189 or $378. Users were instructed to send the money to a fictitious PC Cyborg Corporation at an actual PO Box number in Panama, otherwise their PC would cease to function. This was no empty threat; after a variable number of power-ups since its installation the Trojan rendered the PC inoperable. At the end of January 1990, Joseph Popp was arrested by the FBI in Ohio, extradited to London and charged with 11 counts of blackmail… [I]t was estimated that this Trojan was intended to extort at least … 6 million [pounds].
This AP story takes an incident that the reporter acknowledges is “isolated,” which was reported by a publicity-seeking security software firm, and tries to turn it into a trend story. He doesn’t bother talking to any independent security researchers and instead interviews spokespeople for three companies that clearly stand to benefit financially from security-based panic. And I just about lost it when I read that the evil hacker asked for … gasp! Two hundred dollars! Clearly, this is not Dr. Evil we’re dealing with.
The story ends with this paragraph that basically cuts off its own legs:
Experts said there were no widespread reports the new threat was spreading, and the Web site was already shut down where the infection originally spread. They also said the hacker’s demand for payment might be his weakness, since bank transactions can be traced easily.
Oh. I see. Never mind.
There’s no trend here, folks. It’s one of the most fundamental principles of security: If you let someone else install software on your computer, it’s not your computer anymore.
Bridis deserves extra demerits for this lame story.
Update: Add Brian Krebs of the Washington Post to the Dishonor Roll. In his usually trenchant Security Fix blog at washingtonpost.com, Krebs falls overboard for this one:
In what could be a harbinger of the next big fad in online crime, Internet scammers are now trying to extort money from Microsoft Windows users by scrambling text files on victims’ PCs and then requesting payment for a computer program needed to decode the documents.
“Harbinger of the next big fad in online crime”? I doubt it. And “scammers” (plural)? Nope. One isolated incident. He does note, correctly, that this example exploits a security flaw in Internet Explorer that was patched last July.
Yet another update: More uncritical sources continue to pick this story up and fling it around the Internets. Neowin reprints the story unquestioningly, and so does Ed Oswald at Betanews (although an alert commenter quickly provided Betanews readers with a link to this page – thanks, Zaine!). And alas, a scan of Google News reveals that the story has been picked up by more than 400 sources.
Ed Bott 
When you consider that the cost of having data recovered from a dead 20GB HD could be as much as $2000, $200 is small beans for a business.
And incidently the $2000 figure comes from experience. When people say back up your data, they do actually mean it. I imagine most businesses with any sense would have backups anyway that they could restore should a hacker disrupt their data in this way.
Absolutely right. It is painful to see the look on a client’s face after they’ve (1) had a hard drive crash (2) with no backups and (3) assume that there is some magic service that can bring the disk back from the dead with a few taps of the old magic wand.
When I explain that the cost is likely to be well over $1000 with no guarantee of any data recovery, they blanch.
Yes, but don’t forget to place due blame on Microsoft too.
Given the rate at which Internet Explorer critical security bugs are STILL being found despite SP2 I don’t think we’re going to see any lack of worms any time soon.
See http://www.eeye.com/html/research/upcoming/index.html
for upcoming advisories on yet more vulnerabilities, including one not patched for almost 3 months!
No software is perfect but Bill Gates’ promises about ‘the best security response team’ yadda yadda sound like just more hollow words.
I’ve read a lot of sloppy, dubious tech reporting lately. The main tactic is to insert non-existent or unattributed comments, often starting with “Some inside Microsoft think….”