Tweet

Yes, it does. And depending on where you are located, it can even speak in your mother tongue.

As discussed in our paper Police Ransomware Update, the people behind police Trojan/Ransomware have implemented improvements to make this threat more effective. Gone are the days when ransomware simply showed a message that users’ systems are “captured” and that they have to pay for a fee to have them back.

These days, this new breed of ransomware notifies users of the fee (or ransom) under the guise of the victim’s local law enforcement agencies. Thus, a user with a ransomware-infected system from France will get a notification from the Gendarmerie Nationale, while a US-based one will likely receive a message from the FBI.

To level up the ante, we received a report that a new police Trojan variant even has a “voice”. Detected as TROJ_REVETON.HM, it locks the infected system but instead of just showing a message, it now verbally urges users to pay. The user won’t need a translator to understand what the malware is saying – it speaks the language of the country where the victim is located.

From a threat previously limited to Russia, ransomware has now leaped into other European countries, the United States and Canada. Because of the payment method ransomware employs, specifically electronic cash like Ukash, PaySafeCard and MoneyPak, the bad guys behind this threat generate profit from it but with the benefit of a faint money trail. As such, the gangs profiting from this malware can hide their tracks easily. To know more about ransomware, below are some of the posts we’ve published about this malware:

• Police Ransomware Bears Fake Digital Signature
• New Ransomware Plays Its Victims an Audio File, Over and Over and Over…
• Police Ransomware: How to Get Your Malware Noticed

TROJ_REVETON.HM, unfortunately, is possibly just the tip of the iceberg. It’s not a stretch to say that we can expect further improvements for this malware: possibly a singing ransomware in the near future?

Trend Micro Smart Protection Network protects users from this threat by detecting and deleting ransomware variants if found in the user’s sytem. As an added precaution, users should refrain from downloading files from unknown URLs or from opening file or links contained in dubious-looking email messages.

With additional insights from Security Evangelist Ivan Macalintal

Update as of December 10, 2012 4:00 PM PST

Further analysis of the malware also reveals that it connects to specific URLs to send and receive information from a remote user. Furthermore, it downloads an encrypted .DLL file and WAVE file and saved it as %System Root%\Documents And Settings\All Users\Application Data\{reversed filename.pad}. The said .PAD file is responsible for locking the screen.

Unlike previous ransomware variants that encrypt files, Reveton locks the machine and informs users about a law violation. During our investigation, older variants were seen to drop only the executable file that locks the screen. However, newer variants like TROJ_REVETON.HM include the wave file responsible for the ‘sound.’