The wave of ‘police Trojan’ ransomware that has hit PC users across the developed world in the last year is probably the work of a single highly-active Russian cybercrime gang, a forensic analysis by Trend Micro has concluded.
First detected in 2011, there have been numerous police ransom attacks in which infected users are presented with what appears to be a police force splash screen demanding a 100 euro fine for accessing Internet porn or violent material.
A typical example would be last September’s scam in which the criminals impersonated the Metropolitan Police’s Central e-crime Unit (PCeU) with reports of identical attacks manipulating other EU police forces around the same time.
The backdoor and Trojan malware that hits users is not particularly sophisticated beyond the basic technique of locking the user’s PC while disabling Windows processes such as regedit.exe and msconfig.exe and as a way of discouraging manual bypass attempts.
The real innovation lies in the command and control (C&C) infrastructure which is able to localise the attack to a high degree, varying the police threat screens to display different law enforcement organisations depending on the detected country of the victim.
Trend found that the gang had been targeting Germany, the UK, France, Austria, Italy, Belgium, Spain, while so far ignoring all others countries.
Now Trend has connected these attacks to a single organisation after following the evidence trail back to a ‘bulletproof’ Russian hosting provider, Alliance-host.ru, and a string of command and control servers scattered across the US and Europe. The connections to Russia itself were intricate and compelling.
The gang also appeared to have been involved in older campaigns featuring fake antivirus scams, bank keylogging Trojans such as Zeus and Carberp and the formidable TDSS rootkit believed to have formed a botnet several million strong.
Another connection Trend detected was to that the gang could be affiliated to Rove Digital, the Estonian crimeware gang that used the DNSchanger malware to infect millions more PCs before it was disrupted last September.
Cleverly, the gang has also signed up its own affiliates to host the malware that also serve porn, neatly dovetailing with the gang’s aim of frightening infected users for accessing the same material.
“In sum, we are looking at a Russian-speaking cybercriminal gang with a dynamic network infrastructure that probably uses an affiliate network to help spread the ransomware Trojan and infect as many people’s systems as possible,” Trend said.
Only weeks ago, Trend published figures showing how ransomware infections in general have spread from their home territory of Russia to many other countries.
Ransom malware has been around since at least 2006, but only recently has it morphed into a phenomenon causing significant damage, with police Trojans probably at the leading edge of this trend. Historically, these emerged in 2010 from fake antivirus campaigns that mixed persuasion ('you have a virus on your PC') with threats ('you will pay us to remove it').