Tweet

The perpetrators behind the police ransomware are no longer just using the reputation of law enforcement to build credibility for their schemes — they’re using those of security vendors as well.

We’ve spotted a police ransomware variant which tells of a supposed “treaty” between the law enforcement and antivirus vendors. It even has icons of these security vendors to appear legitimate. Trend Micro detects this new ransomware variant as TROJ_REVETON.IT.

According to our findings, the .DLL file in the malware variant contains a lock screen image which contains logos of various antivirus companies such as Trend Micro, Symantec, McAfee, Sophos, and Microsoft among others. The text goes on to say, “To make the work of the Police more effective, on December 04, 2012 the International Treaty was signed between the companies who developes anti-virus software for identification of cyber-criminals.”  Of course, this is merely a ruse to trick people into believing its legitimacy. Once the malware is executed, it locks users’ computers and displays the fake message that says “Your computer has been locked. You have broken the law, your actions are illegal and will lead to criminal liability.”

Police ransomware is known for locking systems due to a bogus violation on the law that the users supposedly committed. They are required to pay a large fine to be able to use their computers again. We also observed that the ransomware warning page or graphic user interface (GUI) tends to change. This is probably done as part of the malware’s social engineering tactic.

We previously reported on a police ransomware variant detected as TROJ_REVETON.HM that not also shows the ransomware page but also plays an audio file.

As indicated in our research paper, police ransomware is becoming a threat landscape rather than an isolated malware incident. Stay tuned for more updates regarding this malware.