Ransomware Exploits the Italian Police

Total Defense

Americas
Brazil
Canada
Latin America
United States
Europe
Austria
Belgium
Croatia
Czech Republic
Denmark
France
Germany
Hungary
Ireland
Italy
Macedonia
Netherlands
Poland
Portugal
Romania
Russia
Slovenia
Spain
Sweden
Switzerland
Turkey
United Kingdom
Ukraine
Middle East & Africa
Algeria
Kenya
Middle East
Namibia
Nigeria
South Africa
Asia & Pacific
Australia
China
Hong Kong
India
Indonesia
Japan
Malaysia
New Zealand
North Korea
Philippines
Singapore
South Korea
Thailand
United States

Ransomware Exploits the Italian Police

Rossano Ferraris

19/12/2011

Today, Total Defense Research Team was informed of new ransomware circulating among Italian users pretending to be an official statement by the Italian Police. This malware is spread by drive-by-download through websites compromised with malicious JavaScript code.

Figure 1: False banner statement used by the ransomware

The banner falsely represents an official message addressed to the user of the victim machine stating that the IP address of the machine has been confiscated because of its illegal hosting of content related to child pornography.
Additionally the fake official banner states that the computer is also spreading illegal spam with terrorist intent.
For this reason –the message continues- the computer has been blocked to avoid further distribution of illegal content.
The fake message goes on to state that in order to unblock the computer the user must pay a fine of 100 Euros within 24 hours.
Different methods of payment are showed to the user such as “paysafecard”, “ukash”, and “sisal."

Upon execution, the ransomware locks the computer displaying the above banner and disallowing the user to perform any operation.
This situation has created a lot of confusion and concern among people affected by the malware who immediately called the various Police departments for clarifications.

According to our investigation, the ransomware attacks the victim machine disabling the Task Manager and compromising the registry of the Windows operating system.
Below is the main malicious registry item added by this malware sample:

"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" value="vasja"

This registry entry ensures the malware starts itself on the restart of the machine.
This malware is blocked by Total Defense Security products and it is detected as “Ransom.ZAAC” by our anti-malware.

Useful recommendations:

In order to prevent situations like this Total Defense Research Team recommends that you:

Enable a firewall on your computer
Get the latest computer updates for all your installed software
Use up-to-date antivirus software
Limit user privileges on the computer (don't logon as the Administrator)
Use caution when opening attachments and accepting file transfers
Use caution when clicking on unsolicited links to webpages
Avoid downloading pirated software

Home & Home Office

Home & Home Office Support

Business

Business Support

Partners

Deal Registration

Support

Security Advisor

Home & Home Office

Business

About Us

News

Ransomware Exploits the Italian Police

Comments

Categories

Latest Comments

Shop

Support

Company Info

Resources

Ransomware Exploits the Italian Police

Comments

Tags

Categories

Latest Comments