I may now able to offer a little more information about the Gaelic ransomware story from last week.
A screenshot here, though not exactly the same as the one described in the Donegal Daily and elsewhere, looks similar enough to be from the same source. (It has a Garda logo rather than an Irish flag, for one thing.) I can’t say definitively that it is, of course, but how many ransomware perpetrators are likely to be ploughing the same furrow? [Insert your own joke about the Rocks of Bawn here] Come to that, I can’t be sure about the content of the screenshot – Gaeilge is not one of my languages, and I don’t have access to automatic translation software than can parse text from a graphic – but to my (mostly) Saxon eye, it looks as if it has similar content to screenshots on the same page in languages that I can read. And just to make it even easier, the scammer had a moment of inattention and re-used some text in French in the Irish scam message. Quelle dommage!
While I’m not sure if anyone has sent in a sample of the malware reported in the earlier blog, from Kafeine’s post it looks likely that it will turn out to be another variant of the Urausy trojan, Reveton-like malware that ESET is likely to detect as ‘A variant of Win32/Injector.[something]. If you Google Urausy, you may find sites that offer you a downloaded cleaner and tell you that AV is unable to detect it. Well, it’s unlikely that AV detects all variants, but I’d suggest being very cautious about downloading utilities that turn up in a Google search unless you know what you’re doing: it’s unlikely that they’re all genuine, especially if they provide misinformation about other security software.
Perhaps I should offer a rough guide to what this type of ransomware looks like, at least in the format highlighted by Kafeine.
The message tells you that your system will be unlocked in 48 hours. It won’t be. I’d suggest that if you do get caught by something like this, your first move should probably be to contact your AV vendor helpdesk.
Hat tips to Kafeine and several other people who directed my attention to the Malware don’t need Coffee post.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow