NEWS FROM THE LAB - Friday, March 9, 2012

Finns Targeted By Localized Ransomware Posted by Jarno @ 13:26 GMT

Over the past few days we've received reports of Finns being targeted by ransomware which is localized in Finnish language and claims to be from Finnish police.

The Ransomware in question is part of a family we call Trojan:W32/Ransom and is localized to several European countries: Germany; UK; Spain; and now Finland. In all countries, the social engineering method is the same. Upon infection, the Ransomware expands Internet Explorer to full screen (F11) and displays a message claiming to be from a local police unit claiming that the user's computer has been used in browsing sites containing child and animal abuse. It also claims that it has been used to send e-mail spam on topics related to terrorism, and has thus been locked until a fine is paid.

Image: Poliisi

In this case, the Ransomware claims to be from "Tietoverkkorikosten tutkinnan yksikk�" which translates as information networks crime unit. However, the Finnish police doesn't have a unit with that exact name. Also to be noted is that the quality of Finnish is not very good and the contact address is to cyber-metropolitan-police.co.uk. Further inspection reveals that the cyber-metropolitan-police.co.uk domain is registered to a fake person Mr. �be happy� residing in Gette, Poland. Very credible indeed.

The Finnish ransom message is demanding payment using Paysafecard, which is a disposable prepaid card that can be used for anonymous online transactions. It is sold nationally at kiosks within Finland.

F-Secure Internet Security detects known variants of Trojan:W32/Ransom either by family name or generic detection names, but as always it pays to be careful. Our back end statistic indicate that this is definitely "liikkeell�" (in-the-wild).

The initial infection vector for this trojan has been either a Java runtime exploit or Adobe Acrobat PDF reader exploit, there is no information about fresh (0-day) exploits being used.

So to be safe:

1. Update your Acrobat PDF reader to the latest version, or switch to another PDF reader.
2. Update your Java runtime. Or, if you do not need Java, it is highly advisable to uninstall it. If you do need Java, at least consider disabling it within the browser when not in use. Or, switch to Google Chrome which will ask before Java is executed from unknown sites.

If your computer is ever compromised by Ransomware, do not pay anything to the malware authors. In almost all of the cases paying does not free up your computer anyway. Also remember that neither the Finnish police nor any other Police in the world uses Paysafe, Ucash or any other prepaid billing systems for fines. If any message is demanding your credit card or any other payment method it is most certainly a scam and not legitimate government official.


  •  Finnish Police advisory, 08.03.2012
  •  Finnish Police advisory, 09.03.2012
  •  Cert-FI advisory