We have recently seen the emergence of several samples of a ransomware family localized into different languages. Malware that relies on localized social engineering tactics has been around for a few years, as we discussed in our two-part series on Program:Win32/Pameseg, and as evident in the surge of password stealers targeting Brazilian online banking websites. Ransomware, which renders a computer unusable and then demands payment, supposedly to make it usable again, has existed for quite some time as well.

What is remarkable in the cases of ransomware we've seen lately is the effort that the authors have put into creating different versions for every targeted country. We've so far seen variants localized into four languages: English, Spanish, German, and Dutch. The list of imitated institutions is also quite long. It includes:

  • The German Federal Police
  • GEMA (Germany's performance rights organization)
  • The Swiss "Federal Department of Justice and Police"
  • The UK "Metropolitan Police"
  • The Spanish Police
  • The Dutch Police

Figure 1 – Some of the banners used by ransomware. Note that some of these banners don't exactly match the entities being imitated. For example, the Spanish police is called "Policia Nacional" rather than "La policia Española"

Upon execution, the ransomware locks the computer, displays the localized screen using one of the banners in Figure 1, and demands the payment of a "fine" for the supposed possession of illicit material. In order to make the computer functional again, the user is asked to transfer money via a legitimate online payment service, such as Paysafecard or Ukash, to the supposed authorities. These services are not involved in any way with the scammers' scheme; instead, they are being used for malicious purposes.

A quite interesting fact is that the geographical distribution for most of the samples coincides well with the targeted countries. In the case of Trojan:Win32/Ransom.DU, which is a generic detection for a German-language variant of the ransomware that impersonates the German Federal Police, 91.59% of the samples we received from July to November this year were found in Germany, as we show in Table 1.

Table 1 – Geographical distribution of Trojan:Win32/Ransom.DU, a German-language ransomware variant, from July 2011 to November 2011

During our research we found out that this localized ransomware family can be distributed through drive-by downloads and that the Blackhole Exploit Kit is involved. That doesn't really come as a surprise, since nowadays Blackhole distributes many widespread malware families: Worm:Win32/Gamarue, PWS:Win32/Zbot, Rogue:Win32/Winwebsec, Trojan:Win32/FakeSysdef, PWS:Win32/Sinowal, and others.

In Figure 2, we show how the distribution scheme works for Trojan:Win32/Ransom.FL and Trojan:Win32/Lockscreen.BO, which again target German-language speakers. One scenario is that a user visits a legitimate website that has been compromised with malicious JavaScript code. This results in the browser being redirected to a URL in which the exploit kit is hosted. Another possible way one can land on a Blackhole domain is by clicking on a spammed link. We are aware of several spam campaigns that contain links to the exploit kit and we know that some of the spam is generated by the Cutwail botnet.

The Blackhole exploit kit checks for the presence of several vulnerabilities on the system, as visible in Figure 2. If the user hasn't installed all of the available Microsoft security updates or is using a browser with vulnerable plug-ins, malware may be downloaded and executed automatically, without human intervention. The good news is that no zero-day exploits that we know of are involved, so keeping your software up to date will considerably reduce the likelihood of infection.

Figure 2 – The distribution of Trojan:Win32/Ransom.FL and Trojan:Win32/Lockscreen.BO using the Blackhole exploit kit

Upon execution, all the ransomware versions discussed so far lock the computer due to what they say is illegal activity found by the authorities. For example, Trojan:Win32/Ransom.FS displays the screen shown in Figure 3, supposedly from the Swiss "Federal Department of Justice and Police":

Figure 3 – Main screen of Trojan:Win32/Ransom.FS

The intimidating message, used to scare people into paying, roughly translates to "Attention! Illegal activity was detected. The operating system was locked for infringement against the laws of Switzerland. Your IP address is <removed>. From this IP address, sites containing pornography, child pornography, bestiality and violence against children were browsed. Your computer also has video files with pornographic content, elements of violence and child pornography. Emails with terrorist background were also spammed. This serves to lock the computer to stop your illegal activities".

It then goes on to ask for a payment of 150 CHF within 24 hours over Paysafecard, or the computer's hard disk contents will supposedly be erased. To seem more legit, Trojan:Win32/Ransom.FS queries a legitimate public IP address geolocation service at tools.ip2location.com/ib2 to determine the country and the ISP from which the infected computer is connecting to the Internet.

Let's go back to the German case. The previously mentioned Trojan:Win32/Ransom.FL asks for payment via Ukash. In this case, the user buys a Ukash voucher from one of its widely available global locations, and in exchange receives a 19-digit PIN number. The user then enters the PIN number into a form provided by the ransomware, along with the value shown on the Ukash voucher. This is exactly the same as handing your wallet to the bad guys and losing all the cash you have in it. To quote a security tip on the Ukash website "Ukash works just like cash. Giving your Ukash voucher code to someone you don't know or a merchant that is not approved by Ukash puts you at risk of losing your money".

Similar to bills, Ukash vouchers are only available in certain values such as, 10€, 20€, 50€, 100€ and so on. If you want to pay, say, 15€ and the voucher is worth 20€, a legitimate service will generate and send you a new PIN for the "change", the difference between the payment amount and the voucher value. Of course, the authors of the scam don't bother to do this so you get no change back.

The PIN form is actually embedded in an HTML page, rendered by a WebBrowser ActiveX control. Looking at the JavaScript involved in PIN validation in Figure 4, it's clear that the unlock code is posted to a server owned by the perpetrators of the scam, but the HTTP response is just discarded. So even those who pay don't get their computers unlocked. In the unfortunate case that your computer is infected with this malware, don't even consider paying. If you do so, your computer will not get unlocked anyway, so paying does not actually solve your computer problem.

Figure 4 – JavaScript code that processes the Ukash pin

All the localized versions of the ransomware that we've encountered so far, except for the more recent GEMA case, have a very similar codebase. The HTML front-end has been translated, while the back-end stays almost the same, with the exception of some obfuscation layers. This fact indicates that they were created by the same gang, which has put some effort into designing an easy-to-localize solution. Another difference among samples is the amount of the supposed "fines" requested from victims for each targeted country.

Table 2 – Amount of the supposed "fine" for each targeted country

Lately, we've seen malware authors perfecting old money-making scams. Considering the wide distribution of scams such as this ransomware, it's clear that there's a lot of money at stake. That's why the bad guys invest in making their scams look more convincing for the unsuspecting user. This includes adapting social engineering techniques to the specifics of various countries and pretending to be the local authorities. Another point to remember is that a lot of malware is distributed nowadays through exploit kits such as Blackhole. Make sure you install all the relevant Microsoft security updates and that your browser and browser plug-ins are up to date to mitigate the risk of drive-by downloads. Instructions on how to update commonly used software can be found here. And manual removal instructions for each of the discussed threats can be found in the MMPC malware encyclopedia entry for that particular threat (click on any of the links below to go straight to the entry).

Samples discussed in this post:


PS: Just today we encountered a sample targeting residents of France. It poses as a warning from the "Gendarmerie nationale" and demands the payment of 200€. It's also detected as Trojan:Win32/Ransom.FL (SHA-1 21007c5c048f4763750b912b5c89da54a86d34f2).

Figure 5 – The banner used by a recent sample that targets residents of France

-Horea Coroiu, MMPC