New ransomware impersonates the U.S Department of Justice

Summary:Security researchers from Trusteer have intercepted a ransomware variant being pushed using the Citadel crimeware platform.

Security researchers from Trusteer have intercepted a ransomware variant being pushed using the Citadel crimeware platform.

The ransomware is pushed using drive-by malware attacks. Upon execution the following activities take place:

Once installed on the victim’s computer, the ransomware locks-up the targeted machine and displays a warning message notifying the user that they have violated United States Federal Law. The web inject screen (below) claims the IP address belonging to the infected machine was identified by the Computer Crime & Intellectual Property Section as having visited websites that contain child pornography and other illegal content.In order to unlock their computer, the victim is instructed to pay a $100 fine to the US Department of Justice using prepaid money card services. The payment service options presented to the victim are based on the geographic location of their IP address. For example, users with US IP addresses must pay using MoneyPak or Paysafecard.

What's particularly interesting about this campaign, is that it's a decent example of campaign optimization performed on behalf of the cybercriminals behind it, adding multiple monetization vectors in it. Not only will they earn revenue out of the ransomware variant, they will also be able to successfully hijack online banking transactions thanks to the Citadel crimeware that will also remain active on the system.

Ransomware is becoming increasingly prevalent these days, with multiple new variants being detected on a periodic basis. This micro-payments driven business model is largely driven by the fact that source code for ransomware is publicly obtainable from selected vendors within the cybercrime ecosystem.

In the long term, cybercriminals will continue emphasizing on basic QA (quality assurance) processes such as localization of the templates to the native languages of prospective victims. We're definitely going to see more brands, law enforcement agencies and departments impersonated in a systematic manner.

Topics: Security


Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.