Attackers Pose As Police In New Ransomware Campaign

Messages with an official-looking police banner claim discovery of child pornography, other illicit material, and emails with terrorists

In a new twist to ransomware attacks, the bad guys are pushing pop-up warnings posing as federal law enforcement messages claiming to have discovered illicit and illegal material on victims computers -- and the malware locks down their machines and deletes data unless they pay a fine.
Ransomware is nothing new, but researchers at Microsoft say this latest batch includes different versions for each country it targets -- English, Spanish, German, and Dutch -- and poses as the German Federal Police, GEMA (Germanys performance rights organization), The Swiss Federal Department of Justice and Police, The UK Metropolitan Police, The Spanish Police, and The Dutch Police.
Even more chilling is the message with an official-looking police banner used to intimidate the victims, which say sauthorities have found evidence of child pornography and emailing with terrorists: Attention! Illegal activity was detected. The operating system was locked for infringement against the laws of Switzerland. Your IP address is . From this IP address, sites containing pornography, child pornography, bestiality and violence against children were browsed. Your computer also has video files with pornographic content, elements of violence and child pornography. Emails with terrorist background were also spammed. This serves to lock the computer to stop your illegal activities. The scam is spreading via malicious email messages purportedly from federal law enforcement as well as via compromised Web pages. The Trojan then locks down the victims machine and either encrypts or deletes data stored on the hard drive. It then goes on to ask for a payment of 150 CHF within 24 hours over Paysafecard, or the computers hard disk contents will supposedly be erased. To seem more legit, Trojan:Win32/Ransom.FS queries a legitimate public IP address geolocation service at tools.ip2location.com/ib2 to determine the country and the ISP from which the infected computer is connecting to the Internet, according to Microsoft. The malware is either distributed via the Blackhole exploit kit or via drive-by download. In the case of the attack against German-speaking victims, the users either click on a link that redirects them to a URL that hosts Blackhole, or they visit a legitimate website that was compromised with malicious JavaScript. Another possible way one can land on a Blackhole domain is by clicking on a spammed link. We are aware of several spam campaigns that contain links to the exploit kit and we know that some of the spam is generated by the Cutwail botnet, Microsoft says. The good news is that it doesnt employ any zero-day vulnerabilities, so updated versions of Windows should be safe, the researchers say. Considering the wide distribution of scams such as this ransomware, its clear that theres a lot of money at stake. Thats why the bad guys invest in making their scams look more convincing for the unsuspecting user. This includes adapting social engineering techniques to the specifics of various countries and pretending to be the local authorities, the researchers say. Microsofts full research on the scam -- including screen shots -- is
posted here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Pose As Police In New Ransomware Campaign