Copyright violation alert ransomware in the wild

Copyright violation alert ransomware in the wild

Summary: A currently ongoing ransomware campaign is using a novel approach to extort money from end users whose PCs have been locked down - it attempts to extorts $400 from users which would otherwise face a copyright violation suit.

TOPICS: Hardware

UPDATED: Wednesday, April 28, 2010: How to remove the ICPP Copyright Violation Alert ransomware

A currently ongoing ransomware campaign is using a novel approach to extort money from end users whose PCs have been locked down.

By pretending to be the fake ICPP Foundation (, the ransomware locks down the user's desktop issuing a "Copyright violation: copyrighted content detected" message, which lists torrent files found on the infected PC, and forces the user to pay $400 for the copyright holder's fine, emphasizing on the fact that "the maximum penalties can be five years in prison and up to $250,000 in fines.

More details on the campaign:

Upon execution the ransomware will change the Desktop's wallpaper to the "Warning! Piracy detected!" background.

It will then make sure the warnings appear every time the end user restarts PCs. In between, it will lock down the end user's Desktop, featuring the "Copyright violation: copyrighted content detected" window:

The window attempts to trick the end user into believing that:

  • "Windows has detected that you are using content that was downloaded in violation of the copyright of its respective owners. Please read the following bulletin and try solving the problem in one of the recommended ways. During the system scan Antipiracy foundation scanner has detected copyright issues. Please take a look at the list and choose an action: pass the case to a court or settle it in pre-trial order by paying a fine."

Attempts to get rid of it result in the following message:

  • "Performing this action is construed as refusal to cooperate with the copyright holder and unwillingness to consider pre-trial settlement. If you continue, all the data gathered will be passes to copyright protection organizations and to the court. We recommend cancelling this action and choosing the option "pre-trial settlement"."

Gullible end users who fall victim to the scam, will then be asked to pay $399.85 for a "Legal license purchase", "Copyright holder fine", a "Copyright protection organization fee for the use of software tracking illegal file downloads" and a "Traffic fee".

Basically, you've got a profit margin driven ransomware business model, that's ironically charging you a fee for the development of ransomware "software" itself. The cybercriminals behind the campaign are also aware of the concept of localization. The ransomware will adapt to each user's PC, and issue the same messages in 10 different languages - Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish.

Although the ransomware tactic of using copyright infringement themes is novel, the tactic is fundamentally flawed due to a simple reason - the amount of money the ransomware is requesting is supposed to trigger a "vigilance alert" in the mind of the affected user.

The ransomware is currently detected as Win32/Adware.Antipiracy and Rogue:W32/DotTorrent.A.

Topic: Hardware

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Terrible. Worse you don't offer critical info users need to know

    o This only effects the Microsoft Windows platform
    o You don't mention which version(s) of Windows are affected
    o You don't detail the mode of infection
    o You don't give any remedy

    Folks, this type of article serves no purpose other than to sensationalize an issue with no solution.

    Bells and whistles should be going off inside your head because this is emblematic of the trouble with Microsoft Windows: defective by design and exploitable to the worst extent possible.

    This kind of situation can NEVER happen with Ubuntu Linux running AppArmor Linux Security Module.


    Make time to review the alternatives to Windows, and include Ubuntu Linux on your list.

    Ubuntu Linux: The safest operating system on the planet.

    I stake my reputation on it.

    Dietrich T. Schmitz
    Linux Advocate
    Dietrich T. Schmitz, Linux Advocate
    • You seem to be a genuinely helpful fellow, but

      seriously, these endless posts touting the virtues of AppArmor are growing tiresome.

      I like Linux in general, and use it now and then. But these posts do nothing to help further its spread.

      Please, please, stop them. They're only half-true anyhow, which has been demonstrated to you several times.

      You're doing more harm than good. (And this comes from a Linux user, on and off since about 1996 or so.)

      • My willingness to raise awareness knows no limits. Sorry you are annoyed.

        Redirect your annoyance to where it really belongs or
        Change the channel.
        Dietrich T. Schmitz, Linux Advocate
        • You aren't raising awareness. You're spreading

          information that is of value to a very limited audience, one that's tech-savvy enough to make use of it. Even there, its usefulness is in question.

          I feel no obligation to "change the channel" whatsover.
        • how raising and reputation?

          You are really not raisning awarness, just irritating people. Most people have no real choice in OS, rather company policy or need for specific applications and sorry but Linux is not there for many for those reasons. And to claim Linux is completely safe is misleading, any unused highway is not subject to head on collisions as no other cars on it, but does not mean road is safer than another if it is used. Likewise if Linux becomes extremely popular people will start writing lots of viruses for it and finding ways around.

          And what is your reputation? I have never heard of you and you give no credentials.

          I have worked with Unix since the 80s and Linux since the late 90s and with windows since 2.0

          This article would be a lot more helpful to say waht to do to preveent and clean. Sorta like reporting tsumami is on way but giving no indication what to do

          Dwight , EdD, CCP, MCSE, A+, Server+, MCT, MCDST, Network+ and others
          • appreciate this


            Very impressed with your use of analogies. You are a good teacher. Thank you.

            Good luck.
        • Better raise awareness about ransomware

          The article has its merits in raising the alert to unsuspecting users, even if it does not indicate how to remove the malware.

          Your efforts would be more appreciated if you used your willingness to raise awareness of the threats that are out there, including those that exist for Linux.

          I am not exactly an MS fan, and I've handled by now almost any OS that has come out since I started perforating tape & punch cards 30+ years ago, but I also get tired of zealots that instead of contributing to the general knowledge simply do MS-bashing...
        • Ugh...

          I also use Ubuntu occasionally. Frankly I like Linux for many reasons... I also like Windows for many reasons... Indeed I like OS X for many reasons.

          The truth is that each platform has its' strength and weaknesses, but touting Linux as the end-all-be-all OS is absurd:

          Windows is so popular for one reason: Options. I can *always* buy Applications/Games/Utilities for windows, take them home, pop the disc in and it just works. For 99% of home users, this is what matters; nothing else.

          Let's be honest: I've been using Linux on and off since 1999 and I love tinkering with it, but the truth is that everyone who has used linux has at one time or another downloaded a software package and couldn't get it to work without using complicated terminal commands, etc. etc. In most cases I could figure out the problem and get the program to work... But that's because I've been using computers for 30 years.. People who don't have a lot of computer knowledge/experience won't be able to figure it out.. And most of the time people don't WANT to figure anything out, they just want the thing to work.

          This is why Linux isn't ready to become THE Desktop OS.. Not to mention, Linux simply doesn't have the software base to compete with Windows or OS X.. Don't give me the tired argument that there are "thousands and thousands of free software titles available.. blah blah" The real truth is that (with only a FEW exceptions) the free software simply isn't as good as it's commercial counterpart.

          That's my two cents.
          • amen to that

            amen to that
          • Packages? forget that...

            I cannot get my network cards to work on my laptop after an install without doing console commands...

            However, AppArmor is better then Protected mode since it also protect aggainst reads... But in the case of this ransomware, protected mode would suffice.
          • 2 Cents? Comment is worth $2

            Perfectly reasoned & reasonable response.

            Used Ubuntu for 3 months and it is GONE from my machine.

            I have 30 years in IT as well. Could I put it my parent's computers? Nope.

            It is a bad OS, of course not. But your average user is not going to spend the time to go to the terminal to install a new repository. Not all drivers & apps work that well either - if I had a big document to print I had to do it in Windows because my laser printer didn't resume printing after running out of paper mid-way through, that is not acceptable in a production environment.

            But it is fun to use, good to know, and it is coming along.

            And the Mac OS is nice too. Windows 7 is very nice, convinced me to start to migrate away from XP.

            Nothing is perfect folks, which is why these malware writers will always find a way into a box...
        • You've raised awareness. We're aware that you're

          no better then the shoe spammers.

          I seriouslly doubt that was the type of awareness you were trying to impart, but it looks as though that's what defines you now.

          Nice job.
          John Zern
      • Only he's right

        [i]o This only effects the Microsoft Windows platform
        o You don't mention which version(s) of Windows are affected
        o You don't detail the mode of infection
        o You don't give any remedy[/i]

        I complained about this very thing to Ryan some years back in Talkbacks, and he seemed to act on that feedback from that time forth. Perhaps Dancho could consider doing the same.

        There's no point in posting articles relating to computer security if you're not going to suggest - at a minimum - remedial actions. If there happen to be no known remedies or workarounds at the time the article is posted (rare as that would be), state it.

        As for DS's aggressive advocacy of alternative approaches to the Windows juggernaut, well I'll leave any resultant hair pulling to others (those that still have any, after extended tethering to MS platforms).
        • Wait a second guys,

          He said what the infection was detected as:
          "The ransomware is currently detected as Win32/Adware.Antipiracy and Rogue:W32/DotTorrent.A."

          So, I would think the first thing you would have to do is go to a restore point that was created before the infection and run a full scan with your malware remover of choice and get rid of it. If this is not possible for one reason or another (did you set up backup/restore?) or you can't even boot to safe mode, then use a rescue live CD. Should be simple enough for anyone knowledgeable in these things.
          Louis Ross Focke
          • And what about folks who are not so hip?

            [i]Should be simple enough for anyone knowledgeable in these things.[/i]

            They count too, and certainly make up a reasonable percentage of the readership at this site.

            Ideally from wherever the authors are getting their source material, they should be getting the official word on remedies and counter-measures. If not, they're just throwing out loose knit scare scenarios to no end. Besides, it's the basis of their expertise in this field to do more than merely cite threats, is it not?
          • Sorry I did not mean to be condescending

            I could have worded that better. I was just trying to point out to people that might not know how, a way that they could possibly achieve what the author missed writing about. I feel these forums should be for answers to a problem raised. So even though I rarely use Windows, I do have win7 on my system, I still like to try and be helpful in looking for a solution to a problem.

            Louis Ross Focke
          • You weren't Louis

            [i]I still like to try and be helpful in looking for a solution to a problem.[/i]

            That says enough. ;)

        • RE: Only he's right

          The process of preventing this ransomware infection from happening, is no different that the process of protecting against malware, or perhaps even scareware in general.

          Zero Day readers -- wishful thinking I know -- are supposed to be ahead of game here.

          Hence, the reason whey the link to the "The ultimate guide to scareware protection" was featured in the article.

          Basically, it explains how scareware/ransomware and malware in general is pushed to the average end user, and what can be done to prevent this from happening.

          Prevention tips for Windows users:

          01. Use least privilege accounts

          02. Think beyond "Patch Tuesday". Enforce a basic software patch management process, by using Secunia's PSI.

          03. Browse the Web in a sandboxed environment.

          04. Firefox users, spend some time going through NoScript's documentation, and configure it securely.

          05. Scan suspicious files through VirusTotal before running them.

          • May I suggest you update the article with this info? Thanks

            Dietrich T. Schmitz, Linux Advocate
          • Well said

            "Zero Day readers -- wishful thinking I know -- are supposed to be ahead of game here."

            Your thought is completely valid. If you were writing for your hometown newspaper then sure, include the basic security stuff.

            If the critics want an article written a certain way then they should come up with their own material, instead of trying to hijack someone else's.
            Chris Z