Threats today are designed to appeal to local audiences everywhere: two separate threats we’ve recently encountered show how ransomware is targeted towards users in specific countries; in these cases users in Turkey and Hungary were the targets.
First, we came across a notification email sent to Turkish users that talks about a billing update. Recipients are prompted to download and view the updated version of the invoice. Upon clicking on the links provided, users are directed to a website which prompts them to enter a CAPTCHA phrase and download the document. It’s also worth noting that any attempts of accessing the website with a modified link will result in the redirection to the official website, in attempt to avoid user suspicion.
The downloaded file appears to be a PDF file, but a closer look reveals it to be an executable file. Once executed, this malicious file, detected as TROJ_RANSOM.ZD, encrypts files found in the affected system. A pop-up notification appears, instructing the victim to pay for the file decryption. The desktop wallpaper is also modified to display the same message as that of the notification.
Figure 1. Pop-up notification informing users of file encryption
The message informs the victim that a vulnerability in the system was exploited to encrypt the files. The victim has three days to pay for the decryption password. An email address acts as the sole contact detail for the person behind this attack; this address belongs to a Ukrainian free email provider.
It’s worth noting that the message specifically mentions IT administrators – according to the message, the data was encrypted using a technique that will supposedly take a thousand years to decrypt. In addition, to hide its malicious activity, any access to the malicious domain aside from the URLs in this attack redirect to the legitimate website.
Secondly, we also saw users in Hungary targeted with ransomware. This particular variant is detected as TROJ_RANSOM.HUN and lists the file types that were encrypted, as well as the steps to unlock the file and the amount of the ransom (20,000 forints, or just under 90 US dollars.)
Figure 2. Hungarian ransomeware
While the attacks may have very similar behavior, our analysis indicates that the malware files themselves are not related. This indicates that multiple cybercrime gangs have “gone local” and are adapting ransomware tactics to their local “markets”; they may have been inspired by the success of CryptoLocker in recent months.
Trend Micro blocks all related threats, emails, and URLs associated with these attacks. We advise users to exercise caution when opening all emails. Since the files cannot be decrypted (aside from perhaps paying the fee), it’s also good practice to constantly back up files in case of instances such as this one. Other safety practices can be found in a previous blog entry. More information about ransomware is provided in a special Threat Encyclopedia page.
Additional analysis and insights by Mark Manahan.