We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

'Police ransom' Trojans the work of single Russian gang, Trend finds

Follows leads back to the motherland

The wave of 'police Trojan' ransomware that has hit PC users across the developed world in the last year is probably the work of a single highly-active Russian cybercrime gang, a forensic analysis by Trend Micro has concluded.

First detected in 2011, there have been numerous police ransom attacks in which infected users are presented with what appears to be a police force splash screen demanding a 100 euro fine for accessing Internet porn or violent material.

A typical example would be last September's scam in which the criminals impersonated the Metropolitan Police's Central e-crime Unit (PCeU) with reports of identical attacks manipulating other EU police forces around the same time.

The backdoor and Trojan malware that hits users is not particularly sophisticated beyond the basic technique of locking the user's PC while disabling Windows processes such as regedit.exe and msconfig.exe and as a way of discouraging manual bypass attempts.

The real innovation lies in the command and control (C&C) infrastructure which is able to localise the attack to a high degree, varying the police threat screens to display different law enforcement organisations depending on the detected country of the victim.

Trend found that the gang had been targeting Germany, the UK, France, Austria, Italy, Belgium, Spain, while so far ignoring all others countries.

Now Trend has connected these attacks to a single organisation after following the evidence trail back to a 'bulletproof' Russian hosting provider, Alliance-host.ru, and a string of command and control servers scattered across the US and Europe. The connections to Russia itself were intricate and compelling.

The gang also appeared to have been involved in older campaigns featuring fake antivirus scams, bank keylogging Trojans such as Zeus and Carberp and the formidable TDSS rootkit believed to have formed a botnet several million strong.

Another connection Trend detected was to that the gang could be affiliated to Rove Digital, the Estonian crimeware gang that used the DNSchanger malware to infect millions more PCs before it was disrupted last September.

Cleverly, the gang has also signed up its own affiliates to host the malware that also serve porn, neatly dovetailing with the gang's aim of frightening infected users for accessing the same material.

"In sum, we are looking at a Russian-speaking cybercriminal gang with a dynamic network infrastructure that probably uses an affiliate network to help spread the ransomware Trojan and infect as many people's systems as possible," Trend said.

Only weeks ago, Trend published figures showing how ransomware infections in general have spread from their home territory of Russia to many other countries.

Ransom malware has been around since at least 2006, but only recently has it morphed into a phenomenon causing significant damage, with police Trojans probably at the leading edge of this trend. Historically, these emerged in 2010 from fake antivirus campaigns that mixed persuasion ('you have a virus on your PC') with threats ('you will pay us to remove it').


IDG UK Sites

Windows 9 release date, price, features: Windows 9 will be a free update

IDG UK Sites

Windows 9 and the death of the OS as a must-have product

IDG UK Sites

Photoshop for Chromebook: a full version of Adobe's art & photography software will be streamed to...

IDG UK Sites

Best iPhone 6, iPhone 6 Plus deals: iPhone 6, iPhone 6 Plus tariffs, contracts and prices UK