Leave a comment

Types of ransomware targeting mobile devices

1. Pletor

Pletor is believed to be the first strand of ransomware to target mobile users. It was first discovered a couple years ago and is a cryptoblocker that encrypts files stored on SD cards. Within a month of its discovery, Pletor had already been detected on more than 2,000 devices in 13 countries, primarily overseas.

Since that time, around 30 modifications of Pletor have been discovered that use similar Trojan tactics. The general functionality of these versions doesn't differ all that much.

Once the Trojan is activated, it begins encrypting the contents of the memory on your smartphone or tablet. The Trojan for each version can vary between the following file types: .jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, .3gp, .mp4.

In most cases, Pletor is disguised as a fake porn site and uses the media player to activate the code. Recently, it seems that the creators of Pletor have turned their attention elsewhere, and its expansion has nearly ceased.

2. Jaff

Ransomware called Jaff has been spreading at a super fast rate recently. It's being delivered by the Necurs botnet through a malicious email campaign.

People from all over the world started receiving these emails in May 2017. In just the first few hours of the Jaff ransomware campaign, over 13 million emails were discovered.

The malicious emails contain one of the following subject lines:

  • PDF_{four or more digits}
  • Scan_{four or more digits}
  • File_{four or more digits}
  • Copy_{four or more digits}
  • Document_{four or more digits}
  • Receipt to print

The criminals have attached a PDF document to the email that contains an embedded DOCM file with a malicious Macro script. If the recipient runs this Macro, the ransomware is executed and files on the victim's gadget are encrypted. Impacted files are renamed and end with .jaff.

A ransom note will then appear on your gadget, it looks like this:

Image: Example of Jaff ransomware note (Source: Forcepoint)

The victim is instructed to install the Tor Browser and go to a link on the Dark Web. There, the victim will find instructions on how to pay the ransom to receive a private key that will allow them to decrypt the files.

The criminals behind this attack are asking for a hefty ransom. The demand to decrypt the victim's files is 1.79 Bitcoins, which is about $3,300. This is much larger than a normal ransom demand, so you definitely want to avoid it.

Continue reading for ways to protect your gadget from ransomware.

Next page: More ransomware threats and how to protect against them
View Comments ()
Best way to sell things online and not use Craigslist
Previous Tips

Best way to sell things online and not use Craigslist

Stop Facebook from following you around the web
Next Tips

Stop Facebook from following you around the web