2013-01-08
Abstract
‘The people behind these scams are making significant amounts of money, and they are infecting users all over the world.’ David Jacoby, Kaspersky Lab
Copyright © 2013 Virus Bulletin
Over the last couple of months it has been quite obvious that ransomware is becoming a big problem. A friend who works at a local computer retail/repair shop told me that a lot of customers are coming in with ransomware infections on their machines – particularly the notorious ‘police trojan’.
I recently started to analyse some of the samples, and quickly noticed that far from being a local problem, it is more like a global epidemic. The ransomware problem is also very difficult to fight, because you cannot simply throw technology at it – ransomware both exploits technical weaknesses and uses social engineering to target the weakest link in the security chain.
The malware is pushed out through different exploit kits, taking advantage of security weaknesses in software such as PDF readers, Java, Flash and others. The victim does not have to visit any shady websites to get infected; this may be done through drive-by-downloads, email spam or links via social media.
In addition to taking advantage of security weaknesses, the scammers also use redirecting services and traffic exchange platforms, which work hand in hand with the exploit kits. The redirecting services are used to generate as much traffic as possible to the exploit kits.
When the victim visits an infected website, a vulnerability on their computer will be exploited – the payload of the exploit is to download the malware, and then execute it. This is pretty straightforward, and most web based malware is spread this way. The second stage of the ransomware is to exploit or socially engineer the victim. The latest trend is to display a message that appears to come from the police. The trojan will determine the country in which the infected computer is located, and customize the message accordingly.
The message often states that the infected user has committed a felony – for example downloaded pirated software or music, or visited illegal porn sites – and their machine has been locked, but that if they pay a small fine (which in fact goes directly into the pockets of the bad guys), they can avoid arrest and their machine will be unlocked.
The people behind these scams are making significant amounts of money, and they are infecting users all over the world. This means that international law enforcement bodies need to work together in order to fight the criminals.
But it gets more complicated because the bad guys are also re-selling the payment vouchers that are used by victims when they make a payment. This means that the person who spends the money might not be the person behind the scam, but simply someone looking for a good deal on various money exchange forums.
To add another layer of complexity, yet more people may be involved in the process: ‘malware consultants’ are recruited from various underground forums to help make the ransomware undetectable – they do this by adding advanced packing and encryption algorithms.
Just a few weeks ago I had the opportunity to meet with law enforcement representatives and other security vendors and researchers to discuss the ransomware issue. At the meeting I was introduced to a website which displays an amazing collection of landing pages for different trojans and different countries. I recommend that you check it out: https://www.botnets.fr/index.php/Police_lock.
There are lots of types of ransomware out there. We must encourage users, friends, family and colleagues to contact their security companies if they fall victim to such a scam – not only to help them remove the ransomware, but also so that we can collect as much information as possible to help us fight this threat.
