Our recent Web Threat Spotlight article discussed TROJ_RANSOM.QOWA—an SMS ransomware that targets Russian users. It asks for a ransom by instructing victims to dial a premium-rate number in order to restore access to their systems. The malware was reportedly deployed through pornographic sites and has, in fact, been downloaded more than 137,000 times in December 2010 alone.
We recently encountered some newly created domains that were used to serve ransomware with characteristics quite consistent with the previously reported attack. Its social engineering lure was similar to previously reported attacks—using pornography and targeting Russian users.
The malware detected as TROJ_RANSOM.JM came in the guise of a video player. After clicking the Play button, however, the user is prompted to download a file to show agreement to the site’s rules, which are not even actually visible to the user.
Clicking the Cancel button is useless, as this only displays an alert in Russian saying, “You must agree to the rules,” and still continues the download of the malicious file. Upon execution, the malicious file displays a warning saying that the system will shut down in 5 seconds.
Once the system is restarted, the user will notice that some of his system’s features have been disabled, along with the following banner splashed on his screen.
The text contains a warning that the user has visited sites containing child pornography. If the user wants to remove the warning banner, he should pay Rub 450 (about US$15) by entering the amount into a payment terminal (commonplace in Russia).
Whether or not the user pays, however, their files are actually intact, as the malware does not actually perform any encryption operation. Paying the creators of ransomware is generally a bad idea, as this only encourages them with rewards for their criminal efforts. In this particular attack, the user can get access to his data by restarting his system in Safe Mode, more details on which can be found in the Threat Encyclopedia entry for TROJ_RANSOM.JM.