Remember the ransomware variant that was locking down user’s PCs and demanding a premium SMS in order for them to receive the unlocking code?
In an attempt to further monetize the “innovative” practice of converging Windows-based malware and premium SMS numbers operated by the cybercriminals, a do-it-yourself version of the ransomware is currently offered for sale for a mere $15.
Here are some of its features:
– When executed presents the uset with a Blue Screen of Death style error message
– A simple auto-loading feature ensuring it will load every time the host is rebooted, completely disables the startup shell in order to become the first application to appear upon reboot
– Disables Windows Task Manager, Registry Editor, default shortcuts for terminating a program
The vendor would also like to remind its customers that “the application is for educational purposes only”, next to a comment on how all of their current customers are fully satisfied with the money they’re making by locking infected user’s PCs. This piece of ransomware has been spreading across the Russian web space since April, and with its source code now offered for sale, it’s only a matter of time before the error messages get localized to multiple languages courtesy of localization on demand cybercrime-friendly services breaking any language barrier for a spam/malware campaign.
However, from an operational security (OPSEC) perspective which I often emphasize on in order to demonstrate how efficient cybercrime facilitating tactics increase the probability of successfully tracking down the people behind a particular attack, this premium SMS based ransomware tactic is exposing the people behind the campaign much easily due to its reliance on a mobile operator, compared to GPCode’s virtual money exchange approach (Who’s behind the GPcode ransomware?) which given they put enought efforts, the process can be virtually untraceable.
Despite the fact that vendors have already released unlock code generators for the SMS ransomware, taking into consideration the potential for widespread ransomware campaigns through the now ubiqitous revenue generator in the form of scareware (Scareware meets ransomware: “Buy our fake product and we’ll decrypt the files”), the concept is not going away anytime soon.
Mobile Malware Scam iSexPlayer Wants Your Money
New mobile malware silently transfers account credit
New Symbian-based mobile worm circulating in the wild