Figure 1: False banner statement used by the ransomware
The banner falsely represents an official message addressed to the user of the victim machine stating that the IP address of the machine has been confiscated because of its illegal hosting of content related to child pornography.
Additionally the fake official banner states that the computer is also spreading illegal spam with terrorist intent.
For this reason –the message continues- the computer has been blocked to avoid further distribution of illegal content.
The fake message goes on to state that in order to unblock the computer the user must pay a fine of 100 Euros within 24 hours.
Different methods of payment are showed to the user such as “paysafecard”, “ukash”, and “sisal."
Upon execution, the ransomware locks the computer displaying the above banner and disallowing the user to perform any operation.
This situation has created a lot of confusion and concern among people affected by the malware who immediately called the various Police departments for clarifications.
According to our investigation, the ransomware attacks the victim machine disabling the Task Manager and compromising the registry of the Windows operating system.
Below is the main malicious registry item added by this malware sample:
This registry entry ensures the malware starts itself on the restart of the machine.
This malware is blocked by Total Defense Security products and it is detected as “Ransom.ZAAC” by our anti-malware.
In order to prevent situations like this Total Defense Research Team recommends that you:
- Enable a firewall on your computer
- Get the latest computer updates for all your installed software
- Use up-to-date antivirus software
- Limit user privileges on the computer (don't logon as the Administrator)
- Use caution when opening attachments and accepting file transfers
- Use caution when clicking on unsolicited links to webpages
- Avoid downloading pirated software