We have recently seen the emergence of several samples of a ransomware family localized into different languages. Malware that relies on localized social engineering tactics has been around for a few years, as we discussed in our two-part series on Program:Win32/Pameseg, and as evident in the surge of password stealers targeting Brazilian online banking websites. Ransomware, which renders a computer unusable and then demands payment, supposedly to make it usable again, has existed for quite some time as well.
What is remarkable in the cases of ransomware we've seen lately is the effort that the authors have put into creating different versions for every targeted country. We've so far seen variants localized into four languages: English, Spanish, German, and Dutch. The list of imitated institutions is also quite long. It includes:
- The German Federal Police
- GEMA (Germany's performance rights organization)
- The Swiss "Federal Department of Justice and Police"
- The UK "Metropolitan Police"
- The Spanish Police
- The Dutch Police
Figure 1 – Some of the banners used by ransomware. Note that some of these banners don't exactly match the entities being imitated. For example, the Spanish police is called "Policia Nacional" rather than "La policia Española"
Upon execution, the ransomware locks the computer, displays the localized screen using one of the banners in Figure 1, and demands the payment of a "fine" for the supposed possession of illicit material. In order to make the computer functional again, the user is asked to transfer money via a legitimate online payment service, such as Paysafecard or Ukash, to the supposed authorities. These services are not involved in any way with the scammers' scheme; instead, they are being used for malicious purposes.
A quite interesting fact is that the geographical distribution for most of the samples coincides well with the targeted countries. In the case of Trojan:Win32/Ransom.DU, which is a generic detection for a German-language variant of the ransomware that impersonates the German Federal Police, 91.59% of the samples we received from July to November this year were found in Germany, as we show in Table 1.
Table 1 – Geographical distribution of Trojan:Win32/Ransom.DU, a German-language ransomware variant, from July 2011 to November 2011
During our research we found out that this localized ransomware family can be distributed through drive-by downloads and that the Blackhole Exploit Kit is involved. That doesn't really come as a surprise, since nowadays Blackhole distributes many widespread malware families: Worm:Win32/Gamarue, PWS:Win32/Zbot, Rogue:Win32/Winwebsec, Trojan:Win32/FakeSysdef, PWS:Win32/Sinowal, and others.
The Blackhole exploit kit checks for the presence of several vulnerabilities on the system, as visible in Figure 2. If the user hasn't installed all of the available Microsoft security updates or is using a browser with vulnerable plug-ins, malware may be downloaded and executed automatically, without human intervention. The good news is that no zero-day exploits that we know of are involved, so keeping your software up to date will considerably reduce the likelihood of infection.
Figure 2 – The distribution of Trojan:Win32/Ransom.FL and Trojan:Win32/Lockscreen.BO using the Blackhole exploit kit
Upon execution, all the ransomware versions discussed so far lock the computer due to what they say is illegal activity found by the authorities. For example, Trojan:Win32/Ransom.FS displays the screen shown in Figure 3, supposedly from the Swiss "Federal Department of Justice and Police":
Figure 3 – Main screen of Trojan:Win32/Ransom.FS
The intimidating message, used to scare people into paying, roughly translates to "Attention! Illegal activity was detected. The operating system was locked for infringement against the laws of Switzerland. Your IP address is <removed>. From this IP address, sites containing pornography, child pornography, bestiality and violence against children were browsed. Your computer also has video files with pornographic content, elements of violence and child pornography. Emails with terrorist background were also spammed. This serves to lock the computer to stop your illegal activities".
It then goes on to ask for a payment of 150 CHF within 24 hours over Paysafecard, or the computer's hard disk contents will supposedly be erased. To seem more legit, Trojan:Win32/Ransom.FS queries a legitimate public IP address geolocation service at tools.ip2location.com/ib2 to determine the country and the ISP from which the infected computer is connecting to the Internet.
Let's go back to the German case. The previously mentioned Trojan:Win32/Ransom.FL asks for payment via Ukash. In this case, the user buys a Ukash voucher from one of its widely available global locations, and in exchange receives a 19-digit PIN number. The user then enters the PIN number into a form provided by the ransomware, along with the value shown on the Ukash voucher. This is exactly the same as handing your wallet to the bad guys and losing all the cash you have in it. To quote a security tip on the Ukash website "Ukash works just like cash. Giving your Ukash voucher code to someone you don't know or a merchant that is not approved by Ukash puts you at risk of losing your money".
Similar to bills, Ukash vouchers are only available in certain values such as, 10€, 20€, 50€, 100€ and so on. If you want to pay, say, 15€ and the voucher is worth 20€, a legitimate service will generate and send you a new PIN for the "change", the difference between the payment amount and the voucher value. Of course, the authors of the scam don't bother to do this so you get no change back.
All the localized versions of the ransomware that we've encountered so far, except for the more recent GEMA case, have a very similar codebase. The HTML front-end has been translated, while the back-end stays almost the same, with the exception of some obfuscation layers. This fact indicates that they were created by the same gang, which has put some effort into designing an easy-to-localize solution. Another difference among samples is the amount of the supposed "fines" requested from victims for each targeted country.
Table 2 – Amount of the supposed "fine" for each targeted country
Lately, we've seen malware authors perfecting old money-making scams. Considering the wide distribution of scams such as this ransomware, it's clear that there's a lot of money at stake. That's why the bad guys invest in making their scams look more convincing for the unsuspecting user. This includes adapting social engineering techniques to the specifics of various countries and pretending to be the local authorities. Another point to remember is that a lot of malware is distributed nowadays through exploit kits such as Blackhole. Make sure you install all the relevant Microsoft security updates and that your browser and browser plug-ins are up to date to mitigate the risk of drive-by downloads. Instructions on how to update commonly used software can be found here. And manual removal instructions for each of the discussed threats can be found in the MMPC malware encyclopedia entry for that particular threat (click on any of the links below to go straight to the entry).
Samples discussed in this post:
- Trojan:Win32/Ransom.DU – 01b3718bc1dca17770cd2fc8a7e1f445c8a78773
- Trojan:Win32/Ransom.FS - f9e0f996b45b813d306597939bceac33737469bf
- Trojan:Win32/Ransom.FL - cbc346bcbb5dd921d0ed9c486e571a6603ea5ddc
- Trojan:Win32/Lockscreen.BO - 1acaa119143bad6b3efc09c8ac5086b3bbcc0f1d
PS: Just today we encountered a sample targeting residents of France. It poses as a warning from the "Gendarmerie nationale" and demands the payment of 200€. It's also detected as Trojan:Win32/Ransom.FL (SHA-1 21007c5c048f4763750b912b5c89da54a86d34f2).
Figure 5 – The banner used by a recent sample that targets residents of France
-Horea Coroiu, MMPC