NEWS FROM THE LAB - Wednesday, April 4, 2012

Police Themed Ransomware Continues Posted by SecResearch @ 12:24 GMT

Over the last several weeks, we've been monitoring a rash of ransomware campaigns across Europe, in which messages, supposedly from the local police, are displayed demanding that a fine must be paid in order to unlock the computer. We wrote about a Finnish language variant last month. Attacks are still quite active according to our statistics.

Police warning

Even when somebody is savvy enough to recognize the message is a fake, the malware's accusations of offensive materials having been discovered on the user's hard drive creates a chilling effect, which has likely prevented some folks from seeking outside help.

Here's a screenshot we took earlier today using a recent variant:


To unlock their computer, the user is asked to purchase a Paysafecard from a local convenience store chain (in Finland, it's R-Kioski) in the amount of 100 euros. The technique is effective, as even non-technical people who might not be able to use online payment services such as Webmoney or eGold will be able to walk to the nearest store to part with their money.

In this particular case, the e-mail address talletus@cybercrime.gov shown in the screenshot does not belong to the attackers. The domain cybercrime.gov is valid and belongs to the US Department of Justice.

For this variant (SHA1: e6e330614c46939b144cff9bd627ba098dce9873), the easiest way to manually disable it is as follows:

1 – Press Ctrl-O (that's the letter O, not the number zero).
2 – Select "Browse", go to c:\windows\system32 and open cmd.exe.
3 – Type "explorer.exe" into the newly opened window. You should now be able to use the desktop again.
4 – Browse to your Startup folder. The path will vary depending on the language settings and Windows version. The screenshot below shows the path on the English version of Windows XP. You will also have to replace "Administrator" with your user name in the path (unless you're already using the Administrator account, but lets not get started on that…).


5 – Delete any entries you don't recognize. The names of the malicious entries may be different than the ones shown in the screenshot. If you are unsure, you can remove all entries, but at the risk of disabling other valid applications from automatically starting.
6 – Reboot the computer.

After this the threat is disabled but malicious files still remain on the computer. Scanning the computer with an antivirus product is highly recommended.

The steps may vary slightly depending on the variant. CERT-FI has published removal instructions for a different variant with slightly different steps, and Microsoft provides information in their description.

Updated to add on April 5th: Our description for Trojan:W32/Reveton includes removal instructions.


Security Response Post by — Antti and Karmina