Ransomware pretending to be law enforcement

Ransomware usually locks the user’s computer and demands money for it to be released. The current campaign locks the computer and displays a message purporting to come from a national law enforcement agency. It suggests that the user’s computer has been found visiting various illegal and unsavory websites, accuses the user of distributing terrorist material, and suggests that illegal material is stored on the computer.

To release the computer the victim will have to pay a fine of £100 or €100. An additional direct threat is that if the user fails to pay the ransom/fine, the ‘program will remove illegal materials while keeping your personal information is not guaranteed.’ Since users have become accustomed to the idea that law enforcement agencies are increasingly proactive in policing the internet, the fear element makes this threat just feasible. Even if the user is confident that he or she has done no wrong, the possibility that the program might ‘accidentally’ destroy the legitimate content of the computer is used as an additional lever.

One of the new developments in this campaign is the degree of localization. It is largely a European campaign delivering the threat in the correct language: English, Spanish, German, Dutch and others, and supposedly emanating from the local law enforcement (Metropolitan Police in English, Bundespolizei in German, Politie in Dutch). PandaLabs has discovered a new variant in Spanish.

The campaign uses drive-by downloading instigated by a combination of the Cutwail botnet and the Blackhole exploit kit to spread the malware. The botnet delivers spam that includes a link to a compromised web page. The webpage redirects the user to a malicious website housing Blackhole. The exploit kit then looks for one of a variety of vulnerabilities on the user’s computer and, if successful, infects the computer with the ransomware trojan.

Luis Corrons, the technical director of PandaLabs, suggests that if infected, users should “restart the computer in safe mode and run a scan with an antivirus solution that is able to detect it.”

What’s hot on Infosecurity Magazine?