New ransomware variant uses false child porn accusations

New ransomware variant uses false child porn accusations

Summary: Researchers from BitDefender have detected a new ransomware variant currently spreading in the wild.

SHARE:

Researchers from BitDefender have detected a new ransomware variant currently spreading in the wild.

Once Trojan.Agent.ARVP locks down the infected PC, it displays a message saying that the PC is locked due to the fact that child pornography was found on the user’s system and the fine of 500 rubles must be paid within 12 hours. The Task Manager, Windows Explorer and User Init Logon Application are either killed or overwritten by the trojan in an attempt to prevent users from killing it.

The scammers says the user must pay within 12 hours or the “child-porn” case will be forwarded to the local police and all data stored on the personal computer will be blocked or deleted, the operating system uninstalled and the BIOS erased.

In reality, the data will still be there and the BIOS will not be affected after the 12-hour deadline passes. But the PC will remain locked. Paying the ransom will not unlock it. In-depth analysis of the malware revealed that there is no way to unlock the PC, so the promise of a code is false.

The malware is currently spreading over links distributed over social networks. Users are advised to be extra vigilant when dealing with suspicious links.

Topics: PCs, Hardware, Malware, Operating Systems, Security, Windows

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Find the people who released this

    and execute them.
    Dr_Zinj
    • RE: Find the people who released this and execute them.

      @Dr_Zinj

      Absolutely!

      When doing so, it is important to use a .50 cal round <i>right between the eyes.</i>
      fatman65536
      • I don't think that's necessary,

        @fatman65536 , at close range a .22 or a 9mm can be just as effective with much less cost and mess.
        Muzhik1
  • Only half the story...

    So, you didn't tell us if "Safe Mode" is still available and IF any of the common antivirus or antimalware programs will remove it.
    Also, does it affect System Restore and a users capability of going back to before they got this nasty bug?
    rwbyshe@...
    • The story is there.

      @rwbyshe@... "In-depth analysis of the malware revealed that there is no way to unlock the PC". Translated: you're hosed. Hope you've got a good backup.
      dumptux
    • Brains here please...

      @rwbyshe@...

      If the article is correct, and for the sake of argument I am going to assume it is...the article says the computer is "locked down". If you don't know what that means, I understand your questions, but, if you do know what "locked down" means then why are you asking about going into safe mode or using system restore?

      I do agree that if you can reboot into safe mode then its not an absolute lockdown by any means. And one would expect there is no reason you couldn't then use system restore if the machine is functional in safe mode and of course the author should have mentioned that without a doubt. Its a huge game changer if thats the case obviously.
      Cayble
      • Better yet, use a live CD

        @Cayble: Safe Mode is a good idea if it works, but I'd go for a live CD instead--that way you're assured the malware isn't running when you copy your data off to an external hard drive or what have you. Best tool for the job is probably the Ultimate Boot CD For Windows, though a live Linux disk would also work.
        LeonBA