Ransomware Part II: not just an Irish problem

I may now able to offer a little more information about the Gaelic ransomware story from last week.

A screenshot here, though not exactly the same as the one described in the Donegal Daily and elsewhere, looks similar enough to be from the same source. (It has a Garda logo rather than an Irish flag, for one thing.) I can’t say definitively that it is, of course, but how many ransomware perpetrators are likely to be ploughing the same furrow? [Insert your own joke about the Rocks of Bawn here] Come to that, I can’t be sure about the content of the screenshot – Gaeilge is not one of my languages, and I don’t have access to automatic translation software than can parse text from a graphic – but to my (mostly) Saxon eye, it looks as if it has similar content to screenshots on the same page in languages that I can read. And just to make it even easier, the scammer had a moment of inattention and re-used some text in French in the Irish scam message. Quelle dommage!

While I’m not sure if anyone has sent in a sample of the malware reported in the earlier blog, from Kafeine’s post it looks likely that   it will turn out to be another variant of the Urausy trojan, Reveton-like malware that ESET is likely to detect as ‘A variant of Win32/Injector.[something]. If you Google Urausy, you may find sites that offer you a downloaded cleaner and tell you that AV is unable to detect it. Well, it’s unlikely that AV detects all variants, but I’d suggest being very cautious about downloading utilities that turn up in a Google search unless you know what you’re doing: it’s unlikely that they’re all genuine, especially if they provide misinformation about other security software.

Perhaps I should offer a rough guide to what this type of ransomware looks like, at least in the format highlighted by Kafeine.

• It looks pretty official, though to a native speaker of the language concerned it may be obvious that it’s been translated automatically.
• It may suggest that you’ve broken laws within the targeted jurisdiction (the US of course, the UK,   and a surprising range of other European countries: yes, I’m aware that the US isn’t in Europe…): these laws are claimed to pertain to copyright infringement, pornography (including paedophiliac and bestiality content), and letting your computer broadcast malware – thus putting you in breach of a law requiring you to protect your PC properly. While there may be such laws – certainly as regards pornography and copyright – in the region in which you live, the details of the local penal code and penalties that might be incurred are not related to real legislation. They’re merely intended to frighten.
• In order to avoid greater punishment, you’re required to pay a fine of 100 dollars/Euros/Swiss Francs etc. within 72 hours – this is a common scam technique, designed to panic you into action without giving you time to think.
• You are required to pay using Ukash, Moneypak, or paysafecard: it’s really not very credible that a police or judicial agency would require you to use one of these prepay cash transfer methods, which are all too easy to misuse for criminal purposes (as you’ll be aware if you’ve read some of the blogs from my colleagues in Russia).

The message tells you that your system will be unlocked in 48 hours. It won’t be. I’d suggest that if you do get caught by something like this, your first move should probably be to contact your AV vendor helpdesk.

Hat tips to Kafeine and several other people who directed my attention to the Malware don’t need Coffee post.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow