Security researchers from Microsoft, have intercepted multiple localized ransomware variants, impersonating law enforcement agencies across the world.
The researchers have intercepted samples using the following languages - English, Spanish, German, and Dutch.
Impersonated agencies include:
- The German Federal Police
- GEMA (Germany's performance rights organization)
- The Swiss "Federal Department of Justice and Police"
- The UK "Metropolitan Police"
- The Spanish Police
- The Dutch Police
According the their blog post, the infection rate for a corresponding localized ransomware is coincides with the country in question. For instance:
In the case of Trojan:Win32/Ransom.DU, which is a generic detection for a German-language variant of the ransomware that impersonates the German Federal Police, 91.59% of the samples we received from July to November this year were found in Germany, as we show in Table 1.
Is there a connection between these ransomware variants? According to Microsost, a single gang is responsible for their release in the wild:
All the localized versions of the ransomware that we've encountered so far, except for the more recent GEMA case, have a very similar codebase. The HTML front-end has been translated, while the back-end stays almost the same, with the exception of some obfuscation layers. This fact indicates that they were created by the same gang, which has put some effort into designing an easy-to-localize solution.
How is the localization process taking place? Throughout the cybercrime ecosystem, vendors of localization services attract potential cybercriminals wanting to localize their spam templates and messages into specific languages, with valuable underground propositions aiming to satisfy their needs. The same goes for GUIs related to various programs, in this case ransomware variants.
In the past, we have seen the localization of open source malware, including the localization of scareware templates, and the localization of web malware exploitation kits such as Icepack, Firepack and MPack.
Localization is clearly growing as an underground market segment, offering easy market development and market penetration possibilities to cybercriminals looking for ways to target a wider audience.
- Microsoft themed ransomware variant spotted in the wild
- Copyright violation alert ransomware in the wild
- New ransomware locks PCs, demands premium SMS for removal
- Mac OS X SMS ransomware - hype or real threat?
- New LoroBot ransomware encrypts files, demands $100 for decryption
- Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"
- New ransomware variant uses false child porn accusations