Ransomware has become major concern among users, particularly those variants that mimic law enforcement agencies like the FBI (known as police ransomware). Certain features have also been incorporated into the threat recently, such as an audio file and just now, fake digital certificates.
We encountered two samples bearing the same fake digital signature, which Trend Micro detects as TROJ_RANSOM.DDR. According to senior threat researcher David Sancho, the digital signature’s name and its issuing provider are very suspicious. Sancho believes that the fake signature’s sole purpose is likely to elude digisig checks.
Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability.
Once executed, TROJ_RANSOM.DDR holds the system “captive” and prevents users from accessing it. It then displays a warning message to scare its victims into paying a fee. To intimidate users further, this warning message often spoofs law enforcement agencies like the FBI, often claiming that they caught users doing something illegal (or naughty) over the Internet.