Tweet

Ransomware has become major concern among users, particularly those variants that mimic law enforcement agencies like the FBI (known as police ransomware). Certain features have also been incorporated into the threat recently, such as an audio file and just now, fake digital certificates.

We encountered two samples bearing the same fake digital signature, which Trend Micro detects as TROJ_RANSOM.DDR. According to senior threat researcher David Sancho, the digital signature’s name and its issuing provider are very suspicious. Sancho believes that the fake signature’s sole purpose is likely to elude digisig checks.

Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability.

Once executed, TROJ_RANSOM.DDR holds the system “captive” and prevents users from accessing it. It then displays a warning message to scare its victims into paying a fee. To intimidate users further, this warning message often spoofs law enforcement agencies like the FBI, often claiming that they caught users doing something illegal (or naughty) over the Internet.

Based on our analysis, the two samples we found impersonate two different law enforcement agencies. The first sample mimics the FBI, while the second one displays a warning message purportedly from the UK’s Police Central e-Crime Unit.

First seen in Russia in 2005, ransomware has since spread to other European countries and eventually, to the United States and Canada. These variants are known to extort money by taking control of systems and taunting users to pay for a fee (or “ransom”) thru selected payment methods.

The most recent wave of these variants were found capable of tracking victim’s geographic locations. This tracking enables the attackers to craft variants that impersonate the victim’s local police/law enforcement agencies while holding their entire systems captive.

Software vendors include digital signatures as a way for users to verify software/program legitimacy. But cybercriminals may incorporate expired or fake digital sigs or certificates into the malware to hoodwink users into executing it. Just last October, Adobe warned users of malicious utilities carrying Adobe-issued certificates. Certain targeted attacks like the notorious FLAME was also found to use malicious file components bearing certificates issued by Microsoft.

Trend Micro Smart Protection Network™ protects users from this threat by detecting and deleting ransomware variants, including TROJ_RANSOM.DDR. To prevent this threat, users are advised to be cautious when visiting unknown websites and avoid clicking links from dubious sources.

To know more about the latest on police ransomware, you may read the report Police Ransomware Update.

With additional inputs from Diana Lopera

Update as of Nov. 23, 2012 3:24 AM PST

TROJ_RANSOM.DDR has been renamed to TROJ_RANSOM.SMJA.