tumblr hit counter

The Rise of the Ransomware – Police Virus Reloaded

Jul 4

Some of you probably remember this article where I described the huge increase of attacks seen in some countries by malware that was posing as different law enforcement agencies. This kind of malware is called “Police Virus” due to this, and its main purpose (as usual with malware) is to steal money from the users. And to do that it tries to scare users (that’s why this kind of malware is sometimes called “scareware”)

During the last months, these attacks have evolved. As posing as the police was not enough, they started using ransomware tactics, encrypting files from the computer and “forcing” to pay the fine in order to recover access to those files. Basically they took this functionality from PGPCoder, a trojan designed to encrypt files, which were only decrypted once you paid a ransom to the cybercriminals behind it.

The first versions of this new police virus were only encrypting .doc files, and the encryption was not really hard, so it was possible to decrypt them without having the key. However these cybercriminals realized they had made a mistake and created a new version. This time the encryption was using a more advanced technique, so in order to decrypt the file the key is needed. Not only that, but the key is different for every computer that has been infected, so unless anyone can access to the server where the keys are stored there is no way to recover those files. And they are not just encrypting .doc files anymore: some variants have a list of extensions of files to encrypt; some others have just an exclusion list to avoid encrypting any critical system file, and they encrypt everything else.

How much further can they go? At the end of the day what these cybercriminals need is to scare the users as much as possible to have them paying this ransom (“fine”). Last week we came across yet another variant, which oddly was activating the webcam of the computer. What for? They have modified the typical warning page they were using before:

For a new one that includes a frame with the image taken by the webcam:

As you can see there is a frame where the stream of the webcam is shown, and a caption that says “Video recording”. However it is not recording any video, nor sending it anywhere, it is just showing the image taken by the webcam. But of course the user doesn’t know this, and most of them will be really scared and will pay asap to get rid of this. This one does not have the encryption feature, they must have thought that the webcam use is scary enough.

Post to Twitter

  • (6) Comments


  1. “…key is different for every computer that has been infected…”
    what about a brute force attack of encrypted files?

    if you run this malware in lab few time, and see what password is send to server, i think is possible to make a pattern of passwords used:
    length: 8-12
    chars: a-z, 0-9, no special char, no caps look, etc.


  1. [...] up!  You’re surrounded: This could be the battle cry of the Police virus, the malware that has caused most headaches for users and IT departments alike during 2012. This [...]

  2. [...] Police virus: This strain of malware caused most headaches for users and IT departments alike. It purports to show a message from the police telling users that their computer has been blocked – which it has – because they have supposedly downloaded illegal material. To recover their systems, users are asked to pay a fine. The most recent versions even show images taken with the user’s webcam, making the scam all the more realistic. [...]

  3. [...] las manos! Estás rodeado: Este podría ser el grito de batalla de la Policía de virus , el malware que ha causado más dolores de cabeza para los usuarios y los departamentos de TI por [...]

  4. [...] les mains, vous êtes cernés ! Tel pourrait être le cri de guerre du virus Police, le code malveillant qui a causé le plus de maux de tête aux particuliers et aux entreprises en [...]

  5. [...] on this blog we have posted several reports on the Police Virus and its evolution over time. This evolution is absolutely normal and it doesn’t necessarily mean that there are [...]

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Become a fan!

    Panda Security on Facebook
  • Blogroll

  • Categories