The ransomware application from the php.net hit uses information from the victim’s own user profile to customize the note with some of the victim’s own information embedded in it, ostensibly from the National Security Agency.
“For some time, ransomware gangs (which seem to be based mainly in Russia) have used geolocation of the victim’s IP address to deliver the fake warning with the logo and name of one or more national law enforcement organizations in the victim’s geographic region,” explained Andrew Brandt, director of threat research at Blue Coat, in a blog. “If you’re in the UK, you might have seen one with the logo of Scotland Yard, and a picture of a quintessentially British bobby. Victims in Australia, Germany, or Canada might receive a similar message, but with photos of blue heelers, polente or mounties instead of feds, just to buff up the appearance of legitimacy.”
Emblazoned at the top of this latest “utterly bogus screen,” as Brandt put it, are the logos of the NSA and a related organization, the Central Security Service. But, the novel part of the approach is how the customized warning screen gets delivered to the victim.
As he explained:
The malware, when executed, checks to see whether the computer is online, by visiting either www.google.com, or www.msn.com. Once it established connectivity, it checked its own location using MaxMind, and performs an initial check-in, sending a small amount of data to a server in Ryazan, Russia, southeast of Moscow.
Within a couple of minutes, the malware uploaded a large chunk of encrypted information to a different Web server: xaraworkbook.us. Here’s what that server returned to the infected machine, four seconds later.
Notably, the ransomware screen includes the username of the account under whose credentials the infection took hold. In the case of my testbed, the victim’s name, spike, is embedded in the static image file that came from the xaraworkbook.us Web site.
The ransomware is nothing if not persistent too: In a typical 12-hour period following the initial infection, the ransomware checked in with its command-and-control server 152 times, or about once every five minutes.
For all of that though, the scam is still somewhat off-target in terms of collecting relevant information. “Also notable was the fact that the ransomware notice image contained the operating system version of [32-bit Windows XP], but for all the effort these criminals put forth, their scam still (for me, at least) dipped into the Uncanny Valley: the file paths referenced in the ransomware notice simply don’t exist in Windows XP,” Brandt said. “And the black background, which looks like console output? It references the Mac OS Kernel and BSD processes, neither of which will you find in Windows XP, either.”
He added, “Crime might pay (for some, at least), but it clearly won’t make the criminals any smarter.”