Monday, August 24, 2009

6th SMS Ransomware Variant Offered for Sale

"Your copy of Windows has been blocked! You're using an unlicensed version of it! In order to continue using it, you must receive the unlock key. All you have to do is follow these steps: You must send a SMS message. You will receive an activation code once you do so. Enter the code and unlock your copy of Windows."

Anticipating the potential for monetization, cybercriminals are investing more time and resources into coming up with new features for their SMS based ransomware releases. Two of the very latest releases indicate their motivation and long-term ambitions into this newly emerged micro-payment ransomware channel.

What's new, is the social engineering element, the self-replication potential through removable media, and the contingency planning through the use of multiple SMS numbers in case one of the numbers gets shut down. Let's go through some of the features of two newly released SMS ransomware variants offered for $20, and $30 respectively.

What's worth emphasizing on in respect to the first release, is that it's Windows 7 compatible, and is the first SMS ransomware that allows scheduled lock down after infection -- presumably, the author included this feature in order to make it harder for the victim to recognize how he got infected at the first place -- as well as multiple SMS numbers for contingency planning.

Key features include:
- Clean interace
- Bypasses Safe Mode
- Locks down the taskbar or any combination of keys that could allow a user to close the application
- The error message can be customized
- Ability to use multiple-unlock codes
- Ability to use multiple SMS numbers from where the activation code will be obtained
- Ability to lock the system immediately upon infection, or after a given period of tim
- Auto-starting features, self-removal upon entering the correct activation code, and ensuring that the victim would no longer be infected with this release through the use of mutex-es.
- This SMS ransomware is Windows 7 compatible

The majority of SMS based ransomware is relying on the "Unlicensed Windows Copy" theme, but the first self-replicating through removable media propagation such ransomware is signaling a trend to come - social engineering throuhg impersonation in a typical scareware style. This release can be easily described as the first scareware with micro-payment ransom element offered for sale.

Basically, it attempts to impersonate Kaspersky Lab Antivirus Online and trick the infected user into thinking that Kaspersky has detected a piece of malware, has blocked it but since the malware changes its encryption algorithm the user has to send a SMS costing 150 rubles in order to receive the SMS that will block the malware.

This release also includes a timer, and a message explaining that re-installing Windows wouldn't change the situation in an attempt to further trick the user into sending the messsage. The release is exclusively released for Windows XP and is not Windows Vista compatible.

Cybercriminals are known to understand the benefits of converging different successful and well proven tactics across different propagation/infection vectors. Now that we've seen scareware with elements of ransomware, as well as hijacking a browser session's ads and demanding ransom to remove the adult content, it's only a matter of time to witness a micro-payment driven scareware campaign distributed through blackhat SEO and the usual channels.

Related posts:
5th SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
SMS Ransomware Source Code Now Offered for Sale
New ransomware locks PCs, demands premium SMS for removal

This post has been reproduced from Dancho Danchev's blog.

No comments:

Post a Comment