Localised ransomware identified by Microsoft
Criminals are going to an increasing amount of trouble to adapt ransomware for different countries in order to give it a veneer of credibility. One example is BKA, which has been circulating since the start of this year. It blocks victims' computers and claims to have identified illegal content on them, such as pirated material or child pornography. It then claims that the block will only be removed after the victim has paid a fine – though payment generally has no effect.
Microsoft's Malware Protection Center reports that modified trojans such as this are also a problem in several other countries, but that the ransomware claims to be from a different authority, depending on the user's location. The UK version tells users that the Metropolitan Police is demanding £75; the German version claims to be from the German Federal Police and demands between 50 and 250 euros; and in Switzerland, the "Federal Department of Justice and Police" demands 100 Swiss francs to unblock the user's computer.
Microsoft's experts have also discovered versions designed for Spain and the Netherlands. All versions share a common codebase. According to the report, the authors of the trojan have gone to some trouble to make the malware easily localisable. The criminals select the appropriate language version of the malware based on the victim's IP address.
The malware is, according to Microsoft, distributed in part via the Blackhole exploit kit, which probes for known security vulnerabilities in Adobe Reader, Flash, Java and Windows when users visit an infected web page. If it finds one of the target vulnerabilities it infects the computer with ransomware.
The Microsoft posting gives as its main example the trojan Win32/Ransom.DU, which is targeted at German users. Between July and November of this year, Microsoft discovered this particular version on more than 25,000 German computers – compared to just 852 in the UK. If just one in ten of those German victims were to fall for the scam and pay 100 euros, the criminals would net 250,000 euros. Victims should, however, under no circumstance pay up. Instead, they should use an up-to-date bootable anti-virus CD to remove the trojan.