Localized ransomware variants impersonate law enforcement agencies

Summary:Security researchers from Microsoft, have intercepted multiple localized ransomware variants, impersonating law enforcement agencies across the world.

Security researchers from Microsoft, have intercepted multiple localized ransomware variants, impersonating law enforcement agencies across the world.

The researchers have intercepted samples using the following languages - English, Spanish, German, and Dutch.

Impersonated agencies include:

  • The German Federal Police
  • GEMA (Germany's performance rights organization)
  • The Swiss "Federal Department of Justice and Police"
  • The UK "Metropolitan Police"
  • The Spanish Police
  • The Dutch Police

According the their blog post, the infection rate for a corresponding localized ransomware is coincides with the country in question. For instance:

In the case of Trojan:Win32/Ransom.DU, which is a generic detection for a German-language variant of the ransomware that impersonates the German Federal Police, 91.59% of the samples we received from July to November this year were found in Germany, as we show in Table 1.

Is there a connection between these ransomware variants? According to Microsost, a single gang is responsible for their release in the wild:

All the localized versions of the ransomware that we've encountered so far, except for the more recent GEMA case, have a very similar codebase. The HTML front-end has been translated, while the back-end stays almost the same, with the exception of some obfuscation layers. This fact indicates that they were created by the same gang, which has put some effort into designing an easy-to-localize solution.

How is the localization process taking place? Throughout the cybercrime ecosystem, vendors of localization services attract potential cybercriminals wanting to localize their spam templates and messages into specific languages, with valuable underground propositions aiming to satisfy their needs. The same goes for GUIs related to various programs, in this case ransomware variants.

In the past, we have seen the localization of open source malware, including the localization of scareware templates, and the localization of web malware exploitation kits such as Icepack, Firepack and MPack.

Localization is clearly growing as an underground market segment, offering easy market development and market penetration possibilities to cybercriminals looking for ways to target a wider audience.

Related posts:

Topics: Microsoft, Enterprise Software, Legal, Open Source, PCs, Security


Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.