Police-themed Ransomware Starts Targeting US and Canadian Users

A ransomware application that locks computers and asks their owners to pay fines for allegedly violating several laws through their online activity is targeting U.S. and Canadian users, malware experts from security firm Trend Micro said on Wednesday.

The Trend Micro researchers refer to this particular ransomware — malware that disables system functionality and asks for money to restore it — as the “Police Trojan,” because it displays rogue messages claiming to originate from law enforcement agencies.

The “Police Trojan” appeared in 2011 and originally targeted users from several countries in Western Europe, including Germany, Spain, France, Austria, Belgium, Italy and the U.K.

The rogue message displayed after locking down a victim’s computer is localized in the victim’s language and claims to be from a national law enforcement agency from the victim’s country.

The owners of the locked-down computers are told that their IP addresses were involved in illegal activities and are asked to pay a fine using prepaid cards like Ukash or Paysafecard. The malware’s authors prefer these payment services because transactions made through them cannot be reversed and are hard to trace.

When investigating new command and control (C&C) servers recently used by this malware, Trend Micro researchers discovered message templates that were designed for U.S. and Canadian users. This suggests that the malware’s scope has been extended to these two countries.

“Not only has the list of countries increased but also their targets are now more specific,” Trend Micro senior threat researcher David Sancho wrote in a blog post on Wednesday. “For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that spoofs the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method.”

The rogue messages displayed to U.S. users read: “This operating system is locked due to the violation of the federal laws of the United States of America! Following violations were detected: Your IP address was used to visit websites containing pornography, child pornography, zoophilia and child abuse. Your computer also contains video files, elements of violence and child pornography! Spam messages with terrorist motives were also sent from your computer. This computer lock is aimed to stop your illegal activity.”

The user is asked to pay a US$100 fine through Paysafecard and the message is accompanied by the logos of several supermarkets and chain stores from where Paysafecard vouchers can be bought.

The Trend Micro researchers have found clues that suggest a link between this “Police Trojan” and Gamarue, a piece of information stealing malware distributed through drive-by download attacks launched from infected websites and spam emails.

There are also signs that the C&C software used to manage the computers infected with this Trojan horse is being resold, which means that multiple cybercrime gangs might be spreading this ransomware.

“What is becoming crystal clear is that the same Eastern European criminal gangs who were behind the fake antivirus boom are now turning to the Police Trojan strategy,” Sancho said. “We believe this is a malware landscape change and not a single gang attacking in a novel way.”