Ransomware is a nasty scam that infiltrates your computer and tricks you into thinking that you’ve done something wrong. Police ransomware in particular informs users that they need to pay their local police a fine.

We have written detailed reports about these attacks in the past, including multiple blog posts as part of our investigations into this ongoing threat.

Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities  in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON.

Read the rest of this entry »

The Police Ransomware is not a new threat but has been evolving at a tremendous pace. Here we are talking about Trojans which don’t let the victims use their computer until they pay a “fine” for doing naughty things. To do this, they impersonate local police forces by using the infected user’s regional settings – in other words, they use the victim’s local language and the logos of their country’s police.

Last October, I published a new paper on the subject that touched less on the technical part of the attack and more on the financial side. When I talk about this topic, a lot of people often ask me: how are these Eastern European cybercriminal outfits able to keep using the same fancy payment methods? Can’t we follow the money trail? Well, not really.

The use of online vouchers as a method of payment for the scam has allowed these gangs to completely hide any money trail. This is an intriguing topic in itself, so I recommend you to check it out whether you’re a techie or just interested in the evolution of cybercrime. I wrote the paper for Virus Bulletin, which was held in Dallas last September, although my colleague Loucif Kharouni covered for me for the actual presentation. I finally did present it at B-Sides Sao Paulo in October, and you can find a video recording of that talk here. We have previously released paper on this particular series of attacks, which you can read here.

If you think this is something interesting and want to know more about it, why don’t you download the paper and give it a read?

Ransomware continuously evolves and updates its social engineering tactics to trick users into paying money to the cybercriminals.

The samples we’re seeing today not only leverage the Federal Bureau of Investigation (or any police authority for that matter), but on this occasion also use a non-malicious .MP3 file!

This audio file repeatedly informs users that their system is blocked because of a certain violation on the federal law they committed.  In addition, to unlock the system, users need to pay $200 (USD). Trend Micro detects this as TROJ_RANSOM.CXB and TROJ_RANSOM.AAF.

When executed, TROJ_RANSOM.AAF. displays the following message:

It drops the file, 1.mp3 in the current directory of the malware. It also sends and receives information from the following malicious websites:

• {BLOCKED}.{BLOCKED}.156.30
• {BLOCKED}.{BLOCKED}.229.104
• {BLOCKED}.{BLOCKED}.44.239
• {BLOCKED}.{BLOCKED}.165.210

This attack comes hard on the heels of information published by senior threat researcher,  Loucif Kharouni on a Ransomware variant known as Police Trojan. This Trojan shows a notification from the user’s local police about a certain crime they apparently committed and locks the system until they pay up.

Recently, I talked at the VB2012 conference in Dallas about one of the recent developments in today’s threat landscape: the increasing prevalence of police ransomware. Earlier, Trend Micro published a white paper discussing this threat, titled The “Police Trojan”.

The idea behind ransomware is relatively simple: the cybercriminals block the user from accessing their own computer. This continues until the user pays the cybercriminal money in order to unlock their system. We first saw this type of threat in Russia back in 2005 to 2006.

More recently, we’ve seen this threat spread to other countries. Using geo-location, users are presented with a notice – supposedly from local police – that they have committed some crime, and to unlock their PC they need to pay a “fine” of some sort.

As we looked into this threat, we found that this threat was, in someways, similar to previous fake antivirus threats. Multiple gangs produce their own variants; the social engineering is very good at getting users to pay up, and new versions are appearing all the time. Affiliate programs are also used to monetize this threat.

We found at least two groups of suspects that run separate affiliate programs. Each group targets different countries, and use locally available payment schemes. There are also differences in the Trojans themselves.

One of these groups uses server-side scripts to serve the appropriate images and scripts, depending on the user’s country:

A second group uses a different technique. Here, the images and scripts are embedded in base64-encoded PHP code. The images and scripts are never downloaded separately, as they might be in the first case.

In cases where the user’s country can’t be determined (or, perhaps, not being targeted by the cybercriminals), a more “conventional” alert, similar to that used by FAKEAV attacks, is displayed.

How do cybercriminals get their money? Instead of using credit cards, victims are asked to purchase vouchers for electronic cash. Two providers, Ukash and paysafecard, are frequently used by cybercriminals. Both of these services are legitimate; however the vouchers are like cash in that there is no record if they actually change hands.

What happens is that cybercriminals take the vouchers they have gathered and sell them to various exchange sites, for around 40-50% of the voucher’s face value. The exchanges, in turn, sell these to other users for up to 90% of their value.

This highlights how cybercriminals are trying out new schemes in order to replace old ones which may have become less effective. New cybercriminal groups arrive on the scene; new business models are created. It is up to the security industry to keep up to protect users.

For further details about these attacks, you may read the following blog posts:

• Compromised Website for Luxury Cakes and Pastries Spreads Ransomware
• Ransomware Attacks Continue to Spread Across Europe

We released a new research paper describing the activities of another APT campaign, IXESHE (pronounced “i-sushi”).

One of the most notable characteristics of the IXESHE campaign is the attackers’ use of compromised servers in target organizations as command-and-control (C&C) servers. This tactic allowed them to hide their presence by confusing their activities with data belonging to legitimate individuals. In one particular case, we saw C&C servers hosted on the compromised machines of an East Asian country, making targeted attacks against that government easier. In another case, we received an error message from a C&C server, which indicated that the front-end servers were merely acting as proxies for the actual back-end servers.

Our research also showed that attackers utilized dynamic Domain Naming System (DNS) servers and broadly distributed external C&C servers around the world to make detection and takedowns more difficult to do.

The IXESHE campaign has been underway since at least July 2009 when we first saw samples of this particular malware family. Its primary method of entry into user systems is via malicious .PDF files that exploit Adobe Acrobat, Reader, or Flash Player vulnerabilities. These malicious files are sent as attachments to targeted emails sent to potential victims within target organizations.

In the process of our investigation, we were able to determine that its victims could be broadly classified into three categories:

• East Asian governments
• Electronics manufacturers
• A German telecommunications company

For further details, please consult the full paper which you can download from the Security Intelligence section of the Trend Micro website.