Ransomware scares victims with child sex abuse images

Filed Under: Featured, Law & order, Malware, Ransomware

SophosLabs has received a number of disturbing reports from German computer users about a ransomware malware attack that is locking computer screens, and demanding payment of a fine.

German ransomware lock screen

Like other ransomware attacks, a message appears claiming to come from the police that says that evidence gathered proves that the computer has been used to view pornography involving minors.

Unlike most attacks, however, the warning message also includes images of the purported sexual abuse of children, along with the minors' names, dates of birth and location.

Some of the images claim to be of girls as young as 13 years old. Obviously, we are unable to confirm if the people pictured in the images are as young as the bogus police warning message claims.

Ransomware page visited from UK IP address

However old the people in the pictures really are (and some of them *do* look under-age), it's easy to imagine how people who see what appears to be an official police warning, alleging that child porn websites have been accessed, and finding that their computer has been locked, could easily be scared into paying a fine to the cybercriminals behind this attack.

Naturally we have informed the authorities - including our colleagues at the Internet Watch Foundation - so they can work with their partners worldwide, and we have censored the images used in this article.

SophosLabs hasn't received any reports of sightings of the ransomware from UK computer users, but if the webpage is visited from a UK IP address the message adjusts itself to pretend to come from the Metropolitan Police rather than the Bundeskriminalamt:

Your Personal Computer has been blocked

The work of your computer has been suspended on the grounds of unauthorised cyberactivity

All the illegal actions that you performed on this computer were recorded and classified in the Police Database. This also includes photos and videos that were taken by your web camera for further identification. You've been charged with viewing pornography that involves minors.

The computer's IP address and internet service provider is also displayed, and in the corner of the screen can be seen a live video image from the computer's webcam.

There have been a spate of attacks in the last year, where computer users have discovered their computers frozen by messages purporting to come from the police, and claiming to have gathered webcam evidence of who was using the computer at the time of the alleged offence.

Perhaps the most famous example of ransomware malware is Reveton, described by Paul Ducklin in the following great video:

Spanish police arrested more than a dozen members of a multi-national Reveton gang earlier this year.

Whether the latest ransomware impacting German computer users is related to Reveton is currently unclear, and malware experts at SophosLabs are continuing to investigate the attack. Sophos products have already been updated to block access to the offending website where the messages are displayed.

How to report online child abuse
If you have information about online child abuse that you wish to report to the authorities, visit the websites of the Virtual Global Taskforce, CEOP (the Child Exploitation and Online Protection Centre) and the IWF (Internet Watch Foundation) which provide a reporting mechanism.

Thanks to Dirk Kollberg and Paul Baccas of SophosLabs for their assistance with this article.

, , , , , , , , , , ,

You might like

23 Responses to Ransomware scares victims with child sex abuse images

  1. daniellynet · 502 days ago

    Dang.
    I really hope those pictures are just girls who look underage, and aren't underage.
    If they are underage then wow, that would be horrible. :/

    • michael555x · 502 days ago

      It's horrible even if they are bordering on underaged. Being a day over or under doesn't make it right.

  2. robin · 502 days ago

    I'm in the US and I have a friend here who was a victim of this type of ransomeware. What was scary for her though was when she booted up her computer and got the message that said her computer was locked by the police for viewing child pornography, a picture of her husband then came up on the screen that had apparently been taken from her own webcam.

    She was never able to get her computer and her documents back, and ended up having to buy a new computer and start over with everything.

    • Joe · 502 days ago

      Buy a new computer? Why not just re-image the old one?

      • Kevin · 502 days ago

        Some of the more advanced ransom ware encrypts all content of a computer using PGP Public/Private key encryption for real. So without the correct private key its not possible to get the files back.

        • Karl · 501 days ago

          I think Joe was implying that the drive could be wiped (not recovering old files) and reinstalling the OS. New computer isn't really necessary. Even if for some odd reason you couldn't format the drive and reuse it, at very minimum only a new hard drive would be necessary.

    • bob · 502 days ago

      I've fix them with out having to wipe the pc. Should have takin it to a professional had to be cheaper than a new machine

  3. Kathy · 502 days ago

    You don't say how this malware is transmitted. I'm not particularly malware savvy. Do you have to visit the website or does it turn up in an email or what? Cheers, Kathy

    • We're still investigating that. It's not the website with the offensive content that is infecting people - that appears to be where infected users are taken.

      • Tor · 502 days ago

        A friend of mine caught the virus from watching a football live-stream. He just HAD to reinstall the antivirus at the same time as a game.

  4. This sort of attack works well on shared computers, because someone who hasn't been viewing said illegal content can't be sure nobody else has; among people who fall for it, it's bound to create distrust. But I wonder if it's at all effective on people who live alone. Even if I weren't already well aware of ransomware, if nobody but me had access to my computer and it started accusing me of something I know I didn't do, I'd immediately become suspicious. I imagine many people feel the same way.

  5. Nick · 502 days ago

    I got hit with this yesterday morning, got round it myself by re booting in safe mode and restoring the system to the last restore point before this happened, worked a treat, so if you get hit, thats how you unlock your PC easily.

  6. Kim · 502 days ago

    Ahh but with another issue, I tried to restore to an earlier restore point and 95% through restoring a message came up saying the restore failed and to try an earlier point.
    This happened several times with each earlier point until I had to create a current restore point and restored from that!
    Weird PC's
    Wish we could simply go back to slabs and chisels, hieroglyphics and two tin cans and stretched string, LOL

  7. gregbacon · 502 days ago

    Wouldn't surprise me that the same bozos that were responsible for the Stuxnet attack were the creators of this sickness.

    • kevin · 502 days ago

      Really? Do you know anything about stuxnet at all ? Maybe you are being sarcastic about something which I don't get ?

  8. macdhuibhshith · 502 days ago

    Last time I had a PC with this, I logged in a different user (I had to unlock the administrator account from dos with net user.) Under the second user the Pop up never occurred and I could remove it easily.

  9. Rob · 502 days ago

    Another potential issue is just having those images cached on your computer can itself get you into serious trouble....

  10. sam · 501 days ago

    the amazing thing with these ransomware attacks is they do not need to "click to download" or "click to install" and they are not stopped by ie10 or norton, you just need to be on the infected website.
    it then takes a safeboot or boot from cdrom to run a program like norton power eraser to get back into a pc not "jammed" by the warning page.

    this is why most people get caught, it is not obvious how to clear the problem even if you notice the wording errors and lack of contact info (and of course the police would not give you a online fine for such downloads, it would be a 5am knock at the door!) as not only do you have to know how to run an av program as a boot up disc, but once back into the pc you need to run the installed one a couple more times to get rid of the other bits of it left on the system.

  11. Danny · 500 days ago

    Disturbing most AV companies can't prevent Ransomware. And forget Safe mode, Safe Mode with networking, Safe mode with command prompt. The criminals upped their game by effectively blocking these modes. The irony is that removing ransomware manualy with a live cd is not so difficult.

    • Paul Ducklin · 500 days ago

      Well, many if not most anti-viruses *can* prevent ransomware, at least for the most part. (There will always be some malware that gets through, especially if you aren't up to date, or haven't turned on the proactive parts of your anti-virus.)

      And many anti-viruses companies, including Sophos, have cleanup CDs of the sort you mention. The Sophos one is called SBAV, for Sophos Bootable Anti-Virus.

      If you watch the video in the article, it shows you the Reveton ransomware in action, it shows SBAV removing it automatically, and it shows a properly-configured Sophos Anti-Virus (SAV) blocking it proactively.

      [The SBAV clip starts at about 1'47"; SAV appears at about 2'07".]

      HtH.

  12. Deg · 500 days ago

    My parents got hit with this variant recently whilst browsing as normal. I was away but they called me and were understandably disturbed by what they had seen. They got it removed eventually but it's left them a bit concerned about security of personal data as the lock screen also referenced file locations on their computer.

    • Paul Ducklin · 500 days ago

      Ransomware of this sort generally relies on malware running on your PC, which means the malware does have access to your hard disk and the files on it...

      Whilst most ransomware of this sort I'm aware of just goes after your wallet, it's wise to "assume the worst" after an infection.

      In particular, once you're sure you're clean, you may as well do a systematic change of passwords for the various online services you use, in case the crooks have been logging keystrokes...

  13. njorl · 499 days ago

    "Some of the images claim to be of girls as young as 13 years old" ... "Lisa xxx Birth date: 01-28-2001"

    Graham, brush up on your arithmetic before you get yourself into trouble.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.