Arhiveus Ransomware Trojan Analysis

Unlike ransomware we have seen in the past, Arhiveus does not actually encrypt files, it simply concatenates them into a file called EncryptedFiles.als along with a name and length header for each file. Another new development in the ransomware arena is the fact that Arhiveus does not ask the user to deposit money into an E-Gold or another money transfer service, but instead attempts to force the victim into buying pharmaceuticals from a Russian website for $75 or more a bottle, depending on the drug.

Presumably, the trojan author is an affiliate of the "Pharma Shop" website, and will get a cut of each sale which originated with his/her affiliate ID.

Since Pharma Shop is presumably already operating outside of U.S. jurisdiction and is also apparently involved in spam as well as dispensing controlled substances without a prescription, it makes it unlikely that the owner of the website would cooperate with efforts to obtain the identity of the affiliate spreading the trojan.

Even worse, the trojan author suggests that the victim can even make money off of the scheme, by reselling the drugs, in effect coercing them to become an international prescription drug trafficker. Arhiveus Ransomware Trojan Analysis

Linked by shanmuga Monday, 8th May 2006 1:30AM