“Police ransomware” is big business, generating millions of euros for organized criminal groups. In May, at Europol’s headquarters in The Hague, police officers from 14 EU member states affected by this threat met with representatives from Europol, Eurojust, Interpol, and industry. Police ransomware, as explained on the Europol website, typically appears as a pop-up window, claims to come from a law enforcement agency, and accuses the user of visiting illegal websites. The screen freezes with a message that says the system will be unlocked only after payment of a fine, by Ukash, Paysafe, Toneo, or MoneyPak. Demands are very often specific to the country of the victim, pretending to be issued by local law enforcement agencies and written in the local language.
The recent Threats Report from McAfee Labs shows an impressive increase in this field, with police ransomware the main culprit:
Several posts around the Net describe some of these malware. I’ll summarize the most common, with help from the botnets.fr wiki, created and maintained in France by various malware researchers. This wiki is a great tool for understanding botnets and ransomware, and contains data, screenshots, and MD5s related to these threats.
- ACCDFISA — Dacromf: Appeared in February, mostly in the United States. It targets Microsoft Windows Terminal Server Edition. ACCDFISA is the acronym for an imaginary security department: the “Anti Cyber Crime Department of Federal Internet Security Agency.”
- Americana Dreams — VirTool:Win32/Injector.DA: A ransomware using MoneyPak (August)
- Gimemo: First variants in May 2010. At that time the malware asked users in Russia to dial surcharged cell phone numbers to unblock their PCs. In March 2012, it started using Paysafe and claimed to act as a society of authors and music publishers (SUISA for Switzerland, GVU for Germany, AKM for Austria, PRS for the United Kingdom, SACEM for France, etc.).
- HmBlocker: First variants appeared in 2010
- Madlerax: Appeared in September
- Malex — FBI PC lock: Appeared in August
- PornoBlocker: Appeared in 2009. It asks users in Russia to replenish Beeline cell phone numbers to unblock their PCs. In March 2011, a PornoBlocker version was disguised as the German Federal Police.
- Ransirac — GEMA ransomware: First variant in February. It claims to arrive from GEMA (Gesellschaft für musikalische Aufführungs), an authorized German collecting society for musical performing and mechanical reproduction rights.
- Ransom.II — CELAS, FBI ransomware: Appeared in June. It spread in the United States, and uses the Ultimage Game Card payment system (August). In its first variants, the malware claims to be CELAS, a German company representing a certain part of EMI Music Publishing, or the FBI.
- Reveton/Rannoh/Matsnu: The first Reveton variant appeared in November 2011. Some are now known as Matsnu (since January) and Rannoh (since April). The last Reveton variants include a camera feature.
- Silence Locker — Trojan.Ransomlock.K: A crimeware kit (builder and control panel) offered on the underground market beginning in February
- Supern0va: Appeared in April. It uses a control panel.
- Tobfy: Appeared in June. Tobfy includes a camera feature. Its default landing page tries to mimic Interpol.
- ULocker: Another ransomware tool. Offered on a private carding board in July. Ransomware made with this tool claims to have arrived from the International Police Association.
- Urausy: Appeared in July
- Weelsof: Appeared in April
- Win32/LockScreen — Euro Winlocker: The first LockScreen variants appeared in 2009. To regain access to the computer, the user was asked to send an SMS message to a specified telephone number in exchange for a password. Since 2011, many versions have been distributed in Europe.
- Winlock Affiliate: An old affiliate offer. Winlock detections existed before 2009.