- Jun 9, 2013
- 6,720
Ransomware authors appear to be revising some old tactics in a bid to persuade their victims to part with their money, after a new strain of malware was found which locks the user’s screen but does not encrypt files.
Cyphort Labs malware researcher, Paul Kimayong, explained in a blog post that the new family of what it generically dubs “Ransom Locker” malware was discovered after his team followed an infection on a porn site.
This in turn redirected visitors to a RIG exploit kit landing page that served up the ransomware in the form of a malicious flash file and binary.
The final payload locks the victim’s computer and covers the screen with a message from Homeland Security with the usual warning that the user has viewed illegal content and must pay a fine or face criminal liability.
It also includes instructions on how to pay in Bitcoin or Vanilla – a prepaid card from Visa or MasterCard.
The researchers weren’t able to boot it in safe mode for further investigation so they analyzed the memory image offline instead.
Using VirusTotal they found four similar samples in the wild, dating back to the start of February 2016 and with very low detection rates.
Interestingly, Kimayong and his team discovered the malware authors have used VirusTotal themselves to test if their ransomware is detected by heuristics.
“The sample we got is version 0.02a-155. This clearly means it is in the early stage of development,” he wrote.
Full Article. ‘Lock Screen’ Ransomware Makes a Comeback
Cyphort Labs malware researcher, Paul Kimayong, explained in a blog post that the new family of what it generically dubs “Ransom Locker” malware was discovered after his team followed an infection on a porn site.
This in turn redirected visitors to a RIG exploit kit landing page that served up the ransomware in the form of a malicious flash file and binary.
The final payload locks the victim’s computer and covers the screen with a message from Homeland Security with the usual warning that the user has viewed illegal content and must pay a fine or face criminal liability.
It also includes instructions on how to pay in Bitcoin or Vanilla – a prepaid card from Visa or MasterCard.
The researchers weren’t able to boot it in safe mode for further investigation so they analyzed the memory image offline instead.
Using VirusTotal they found four similar samples in the wild, dating back to the start of February 2016 and with very low detection rates.
Interestingly, Kimayong and his team discovered the malware authors have used VirusTotal themselves to test if their ransomware is detected by heuristics.
“The sample we got is version 0.02a-155. This clearly means it is in the early stage of development,” he wrote.
Full Article. ‘Lock Screen’ Ransomware Makes a Comeback