Ransomware Hits U.S., Canada

Wednesday, May 16, 2012 @ 04:05 PM gHale


A ransomware application that locks computers and asks their owners to pay fines for “violating several laws” through their online activity is targeting U.S. and Canadian users, said malware experts from security firm Trend Micro.

This particular ransomware — malware that disables system functionality and asks for money to restore it – is the “Police Trojan,” because it displays rogue messages claiming to originate from law enforcement agencies, said Trend Micro researchers.

RELATED STORIES
New Ransomware Gets Tough
New Ransomware Hits Cyber Street
Ransomware Thriving, Taking Control
Malware Alert: A Scareware, Ransomware Blend

The “Police Trojan” appeared in 2011 and originally targeted users from several countries in Western Europe, including Germany, Spain, France, Austria, Belgium, Italy and the U.K.

The rogue message displayed after locking down a victim’s computer is in the victim’s language and claims to be from a national law enforcement agency from the victim’s country.

The owners of the locked-down computers get a line saying their IP addresses were a part of illegal activities and they need to pay a fine using prepaid cards like Ukash or Paysafecard. The malware’s authors prefer these payment services because you cannot reverse the transactions and they are hard to trace.

When investigating new command and control (C&C) servers used by this malware, Trend Micro researchers discovered message templates designed for U.S. and Canadian users. This suggests the malware’s scope extended to these two countries.

“Not only has the list of countries increased but also their targets are now more specific,” said Trend Micro senior threat researcher David Sancho. “For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that spoofs the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method.”

The rogue messages displayed to U.S. users read: “This operating system is locked due to the violation of the federal laws of the United States of America! Following violations were detected: Your IP address was used to visit websites containing pornography, child pornography, zoophilia and child abuse. Your computer also contains video files, elements of violence and child pornography! Spam messages with terrorist motives were also sent from your computer. This computer lock is aimed to stop your illegal activity.”

The user must pay a $100 fine through Paysafecard and the message comes with the logos of several supermarkets and chain stores where you can purchase Paysafecard vouchers.

The Trend Micro researchers have found clues that suggest a link between this “Police Trojan” and Gamarue, a piece of information stealing malware distributed through drive-by download attacks launched from infected websites and spam emails.



Leave a Reply

You must be logged in to post a comment.