The last two years have seen an increase in malware which takes control of, and holds hostage an infected machine, locking the user out until a payment of some form can be extorted. This threat type is also known as 'ransomware'.

Various tactics have been used by the malware writers in an attempt to intimidate users into paying a ransom in order to get back control of an infected machine. We wrote a blog post last December that describes malware extortion tactics, here.

Scare tactics include displaying fake Windows activation warnings: : 

Trojan:Win32/Serubsit.A

Figure 1: Ransom message displayed by Trojan:Win32/Serubsit.A

to other scare tactics: 

Trojan:Win32/Serubsit.A

Figure 2: Ransom message displayed by Trojan:Win32/Serubsit.A

The most recent of these comes in the form of the following variant we detect as Trojan:Win32/Ransirac.G (280bb31602a5dcb3674c7718f947ee0f4e44784f). In this case, an infected user is accused of illegally downloading music.

Trojan:Win32/Ransirac.G

Figure 3: Ransom message displayed by Trojan:Win32/Ransirac.G

The malware writers attempt to add an air of legitimacy to their creation by using the HTML style sheets and image content for the actual organization GEMA (Gesellschaft für musikalische Aufführungs).

To thwart these and similar threats, we recommend using a complete and up-to-date antivirus solution such as Microsoft Security Essentials.

--Raymond Roberts
MMPC-Melbourne