Localized ransomware variants impersonate law enforcement agencies

Localized ransomware variants impersonate law enforcement agencies

Summary: Security researchers from Microsoft, have intercepted multiple localized ransomware variants, impersonating law enforcement agencies across the world.

SHARE:

Security researchers from Microsoft, have intercepted multiple localized ransomware variants, impersonating law enforcement agencies across the world.

The researchers have intercepted samples using the following languages - English, Spanish, German, and Dutch.

Impersonated agencies include:

  • The German Federal Police
  • GEMA (Germany's performance rights organization)
  • The Swiss "Federal Department of Justice and Police"
  • The UK "Metropolitan Police"
  • The Spanish Police
  • The Dutch Police

According the their blog post, the infection rate for a corresponding localized ransomware is coincides with the country in question. For instance:

In the case of Trojan:Win32/Ransom.DU, which is a generic detection for a German-language variant of the ransomware that impersonates the German Federal Police, 91.59% of the samples we received from July to November this year were found in Germany, as we show in Table 1.

Is there a connection between these ransomware variants? According to Microsost, a single gang is responsible for their release in the wild:

All the localized versions of the ransomware that we've encountered so far, except for the more recent GEMA case, have a very similar codebase. The HTML front-end has been translated, while the back-end stays almost the same, with the exception of some obfuscation layers. This fact indicates that they were created by the same gang, which has put some effort into designing an easy-to-localize solution.

How is the localization process taking place? Throughout the cybercrime ecosystem, vendors of localization services attract potential cybercriminals wanting to localize their spam templates and messages into specific languages, with valuable underground propositions aiming to satisfy their needs. The same goes for GUIs related to various programs, in this case ransomware variants.

In the past, we have seen the localization of open source malware, including the localization of scareware templates, and the localization of web malware exploitation kits such as Icepack, Firepack and MPack.

Localization is clearly growing as an underground market segment, offering easy market development and market penetration possibilities to cybercriminals looking for ways to target a wider audience.

Related posts:

Topics: Microsoft, Legal, Open Source, Operating Systems, Security, PCs

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • RE: Localized ransomware variants impersonate law enforcement agencies

    Frankly, if any one of these popped up on my system, I would know they were frauds.

    Why?

    1. I do nothing illegal nor download anything illegal by United States law nor local law (unless you are talking about those BS obscenity laws) online.
    2. I know from working with law enforcement on two occasions that they do NOT advertise when they are monitoring your computer.
    Lerianis10
    • Not the typical modus operandi from the agencies listed

      Sounds more like something you would expect to see from the Federales in Mexico. ;) European and American agencies tend to be subtler, and more covert, a la snakes in the grass. And their bites are generally worse.
      klumper