The ransomware is pushed using drive-by malware attacks. Upon execution the following activities take place:
Once installed on the victim’s computer, the ransomware locks-up the targeted machine and displays a warning message notifying the user that they have violated United States Federal Law. The web inject screen (below) claims the IP address belonging to the infected machine was identified by the Computer Crime & Intellectual Property Section as having visited websites that contain child pornography and other illegal content.In order to unlock their computer, the victim is instructed to pay a $100 fine to the US Department of Justice using prepaid money card services. The payment service options presented to the victim are based on the geographic location of their IP address. For example, users with US IP addresses must pay using MoneyPak or Paysafecard.
What's particularly interesting about this campaign, is that it's a decent example of campaign optimization performed on behalf of the cybercriminals behind it, adding multiple monetization vectors in it. Not only will they earn revenue out of the ransomware variant, they will also be able to successfully hijack online banking transactions thanks to the Citadel crimeware that will also remain active on the system.
Ransomware is becoming increasingly prevalent these days, with multiple new variants being detected on a periodic basis. This micro-payments driven business model is largely driven by the fact that source code for ransomware is publicly obtainable from selected vendors within the cybercrime ecosystem.
In the long term, cybercriminals will continue emphasizing on basic QA (quality assurance) processes such as localization of the templates to the native languages of prospective victims. We're definitely going to see more brands, law enforcement agencies and departments impersonated in a systematic manner.