Tag Archives: ransomware

Managed ‘Russian ransomware’ as a service spotted in the wild

Posted on by

By Dancho Danchev

In 2013, you no longer need to posses sophisticated programming skills to manage a ransomware botnet, potentially tricking tens of thousands of gullible users, per day, into initiating a micro-payment to pay the ransom for having their PC locked down. You’ve got managed ransomware services doing it for you.

In this post I’ll profile a recently spotted underground market proposition detailing the success story of a ransomware botnet master that’s been in business for over 4 years, claiming to be earning over five hundred thousands rubles per month.

More details: Continue reading

Novice cybercriminals experiment with DIY ransomware tools

Posted on by

By Dancho Danchev

For years, the DIY (do-it-yourself) trend has been evident across the entire cybercrime ecosystem.

From the early exploits generating DIY tools that set the foundations for the upcoming “malicious economies of scale” trend to emerge, to the ongoing leaks of DIY botnet and malware generating tools that were once only available to advanced attackers, it’s never been easier to enter the world of cybercrime.

In this post, I’ll profile a novice cybercriminal’s approach to entering the profitable world of ransomware.

More details:

Continue reading

Managed Ransomware-as-a-Service spotted in the wild

Posted on by

By Dancho Danchev

Over the past several quarters, we’ve witnessed the rise of the so called Police Ransomware also known as Reveton.

From fully working host lock down tactics, to localization in multiple languages and impersonation of multiple international law enforcement agencies, its authors proved that they have the means and the motivation to continue developing the practice, while earning tens of thousands of fraudulently obtained funds.

What’s driving the growth of Police Ransomware? What’s the current state of this market segment? Just how easy is it to start distributing Police Ransomware and earn fraudulently obtained funds in between?

In this post, I’ll profile a recently advertised DIY (do-it-yourself) managed voucher-based Police Ransomware service exclusively targeting European users, and for the first time ever, offer an inside peek into its command and control interface in order to showcase the degree of automation applied by the cybercriminals behind it.

More details:

Continue reading

Removing Popureb Doesn’t Require a Windows Reinstall

Posted on by

By Marco Giuliani

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Last Wednesday, Microsoft published a blog post detailing a significant update to a piece of malware named Popureb. The malware adds code to the Master Boot Record, or MBR, a region of the hard disk that’s read by the PC during bootup, long before the operating system has had a chance to get started. Researchers sometimes refer to these kinds of malware as bootkits, or a rootkit which loads at such a low level during the boot process that it is invisible to the operating system, and therefore very difficult to remove.

Microsoft researcher Chun Feng detailed some of the new features of Popureb.E, which includes a very low-level hook into the Windows driver responsible for disk writes and reads. When the driver on an infected system detects an attempt to write changes into the MBR — the kinds of changes a repair tool might try to make — it simply changes the command from write to read, effectively neutering any kind of tool running within Windows that might try to fix the infection.

(Update 2011-07-08: We’ve published a free command line tool that can remove Popureb.E from the master boot record of an infected computer.)

Microsoft’s initial cleanup guidance on Popureb.E was pretty drastic, and more than a little scary: Full removal of the bootkit requires a full reinstall of Windows, wiping out anything currently on the hard drive. We don’t think this is the case, and the Microsoft folks seem to have moderated their advice to include some manual fixes using the recovery console.

While the whole concept behind the Trojan is valid and technically powerful, the practical implementation of the malware is not as valid as the idea behind it. What follows is a fairly technical write-up that describes both the problem, and one  solution we’ve come up with.

Continue reading

Ransomware App Asks Victims to Pay a Phone Bill

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Ransomware is nothing new, but a Ukrainian ransomware Trojan that came over the transom last week demonstrated that the concept of “payment” can extend to services other than banking or finance. In this case, the Trojan (which we and several other AV companies call Trojan-Ransom-Krotten) thoroughly locks down the infected system then demands payment—in the form of credit paid to the Ukrainian mobile phone provider Kyivstar, which the victim then has to transfer to the malware distributor’s account.

Yes, Alice, the hacker wants you to pay his cellphone bill.

Once the ransomware has taken hold on a victim’s computer, it locks down the operating system in dozens of different ways, as well as changing several registry keys that add juvenile, profane text to Internet Explorer’s title bar and elsewhere on the desktop and in folders.

Paying the ransom in these cases simply emboldens the malware creator to continue his crime spree. Of course, even once a victim hypothetically pays this ransom, there’s also no guarantee that there’s any way at all for the malware distributor to reverse the damage — which takes the form of significant levels of annoyance — caused by this insipid Trojan.

Fortunately for the victim, the creator of this Trojan isn’t the sharpest tack in the box. Not only were we easily able to tease out the Trojan’s payloads and add signatures which would prevent the Trojan from delivering its payload files to a victim’s computer, but we’re able to see exactly how the author (ineffectively) tries to frustrate the kinds of behavioral analysis we and other antivirus vendors perform.

Continue reading