Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

'Police ransom' Trojans the work of single Russian gang, Trend finds

Follows leads back to the motherland

Article comments

The wave of ‘police Trojan’ ransomware that has hit PC users across the developed world in the last year is probably the work of a single highly-active Russian cybercrime gang, a forensic analysis by Trend Micro has concluded.

First detected in 2011, there have been numerous police ransom attacks in which infected users are presented with what appears to be a police force splash screen demanding a 100 euro fine for accessing Internet porn or violent material.

A typical example would be last September’s scam in which the criminals impersonated the Metropolitan Police’s Central e-crime Unit (PCeU) with reports of identical attacks manipulating other EU police forces around the same time.

The backdoor and Trojan malware that hits users is not particularly sophisticated beyond the basic technique of locking the user’s PC while disabling Windows processes such as regedit.exe and msconfig.exe and as a way of discouraging manual bypass attempts.

The real innovation lies in the command and control (C&C) infrastructure which is able to localise the attack to a high degree, varying the police threat screens to display different law enforcement organisations depending on the detected country of the victim.

Trend found that the gang had been targeting Germany, the UK, France, Austria, Italy, Belgium, Spain, while so far ignoring all others countries.

Now Trend has connected these attacks to a single organisation after following the evidence trail back to a ‘bulletproof’ Russian hosting provider, Alliance-host.ru, and a string of command and control servers scattered across the US and Europe. The connections to Russia itself were intricate and compelling.

The gang also appeared to have been involved in older campaigns featuring fake antivirus scams, bank keylogging Trojans such as Zeus and Carberp and the formidable TDSS rootkit believed to have formed a botnet several million strong.

Another connection Trend detected was to that the gang could be affiliated to Rove Digital, the Estonian crimeware gang that used the DNSchanger malware to infect millions more PCs before it was disrupted last September.

Cleverly, the gang has also signed up its own affiliates to host the malware that also serve porn, neatly dovetailing with the gang’s aim of frightening infected users for accessing the same material.

“In sum, we are looking at a Russian-speaking cybercriminal gang with a dynamic network infrastructure that probably uses an affiliate network to help spread the ransomware Trojan and infect as many people’s systems as possible,” Trend said.

Only weeks ago, Trend published figures showing how ransomware infections in general have spread from their home territory of Russia to many other countries.

Ransom malware has been around since at least 2006, but only recently has it morphed into a phenomenon causing significant damage, with police Trojans probably at the leading edge of this trend. Historically, these emerged in 2010 from fake antivirus campaigns that mixed persuasion ('you have a virus on your PC') with threats ('you will pay us to remove it').



Share:

More from Techworld

More relevant IT news

Comments

PABO said: Just got a mail message demanding 100 euro supposedly from the Irish Police An Garda It was in the Gaelic language not in English I went in to safe mode on my pc by pressing F8 and luckly the pc restored itself to two days ago and when restored the virus was gone Luck that thsi workedthought someone else out there might find this tip useful



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *