Police-themed ransomware starts targeting US and Canadian users

'Police Trojan' locks down computers and asks their owners to pay a fine for violating several laws

A ransomware application that locks computers and asks their owners to pay fines for allegedly violating several laws through their online activity is targeting U.S. and Canadian users, malware experts from security firm Trend Micro said on Wednesday.

The Trend Micro researchers refer to this particular ransomware -- malware that disables system functionality and asks for money to restore it -- as the "Police Trojan," because it displays rogue messages claiming to originate from law enforcement agencies.

The "Police Trojan" appeared in 2011 and originally targeted users from several countries in Western Europe, including Germany, Spain, France, Austria, Belgium, Italy and the U.K.

The rogue message displayed after locking down a victim's computer is localized in the victim's language and claims to be from a national law enforcement agency from the victim's country.

The owners of the locked-down computers are told that their IP addresses were involved in illegal activities and are asked to pay a fine using prepaid cards like Ukash or Paysafecard. The malware's authors prefer these payment services because transactions made through them cannot be reversed and are hard to trace.

When investigating new command and control (C&C) servers recently used by this malware, Trend Micro researchers discovered message templates that were designed for U.S. and Canadian users. This suggests that the malware's scope has been extended to these two countries.

"Not only has the list of countries increased but also their targets are now more specific," Trend Micro senior threat researcher David Sancho wrote in a blog post on Wednesday. "For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that spoofs the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method."

The rogue messages displayed to U.S. users read: "This operating system is locked due to the violation of the federal laws of the United States of America! Following violations were detected: Your IP address was used to visit websites containing pornography, child pornography, zoophilia and child abuse. Your computer also contains video files, elements of violence and child pornography! Spam messages with terrorist motives were also sent from your computer. This computer lock is aimed to stop your illegal activity."

The user is asked to pay a US$100 fine through Paysafecard and the message is accompanied by the logos of several supermarkets and chain stores from where Paysafecard vouchers can be bought.

The Trend Micro researchers have found clues that suggest a link between this "Police Trojan" and Gamarue, a piece of information stealing malware distributed through drive-by download attacks launched from infected websites and spam emails.

There are also signs that the C&C software used to manage the computers infected with this Trojan horse is being resold, which means that multiple cybercrime gangs might be spreading this ransomware.

"What is becoming crystal clear is that the same Eastern European criminal gangs who were behind the fake antivirus boom are now turning to the Police Trojan strategy," Sancho said. "We believe this is a malware landscape change and not a single gang attacking in a novel way."

Join the CSO newsletter!

Error: Please check your email address.

More about Department of JusticeTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place