Anonymous ransomware - but who is hiding behind this malware's mask?

Filed Under: Featured, Law & order, Malware, Ransomware

Here's an interesting twist of the Reveton/FBI/police ransomware that has been plaguing internet users lately.

In this example, the malware that locks you out of your data, and demands £100 be paid via Ukash to gain access back to your files, claims to be from the Anonymous hacktivist group.

Anonymous ransomware. Click for larger version

Part of the message reads:

We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.

Tango down!

Your computer has been hacked by the Anonymous Hackers Group and locked for the moment. All files have been encrypted. You need to pay a ransom of £100 within 24 hours to restore the computer back to normal. If the ransom is not paid on time all the contents of your computer will be deleted and all your personal information such as your name, address, D.O.B, etc. will be published online, after this has been done the processor, ram and motherboard will be fried. Any attempts to remove this virus will result in the consequences mentioned.

Of course, just as when ransomware victims see demands from cash on their computer seemingly coming from the police, they should be equally dubious about whether this particular attack originated from someone affiliated with Anonymous hacktivists.

Although, now I come to think about it, it's not really possible for Anonymous to deny that it is involved. After all, being truly anonymous means that you don't know what other people might be doing under the banner of Anonymous.

Ultimately, you can't believe anything when it comes to Anonymous.

One thing is certain, however, and that's the need to better protect computers against the threat of ransomware - whoever might be creating it.

Always remember to keep your anti-virus software up-to-date (Sophos detects this particular ransomware as Troj/Ransom-KI), and to run a tight ship when it comes to patching your operating system and applications to protect against vulnerabilities.

That way you'll be making life much more difficult for the bad guys.

Hat tip: @abuse_ch

, ,

You might like

8 Responses to Anonymous ransomware - but who is hiding behind this malware's mask?

  1. Joe · 1036 days ago

    What a load of BS ! Sounds like a prank from some junior high kids ...

  2. BallaR · 1036 days ago

    I think this is part of a smear campaign against Anonymous

  3. Doug · 1036 days ago

    I don't know about a smear campaign, as the article implied, when you are anonymous how do you deny or claim responsibility with any credibility. Oh this anonymous persona is the real anonymous persona, wait no this one is. Digital Terrorism basically.

  4. Nigel · 1036 days ago

    "Ultimately, you can't believe anything when it comes to Anonymous."

    Yup...that sums it up perfectly. How can you believe anything said by people who are too cowardly to be held accountable for the consequences of their actions? If their credibility were radioactive, you couldn't find it with a geiger counter.

  5. jonhawk · 1033 days ago

    Whatever you think about Anonymous, how can this be called terrorism, Doug - where are the bombs, the bloodshed, the deaths, the actual terror?

    • CDB · 1033 days ago

      Well, considering the requested ransom is in GBP, I will assume this is taking place in the United Kingdom. According to the United Kingdom's "Terrorism Act 2000":

      (1) In this Act "terrorism" means the use or threat of action where:

      (a) the action falls within subsection (2),
      (b) the use or threat is designed to influence the government or to intimidate the public or a section of the public and
      (c) the use or threat is made for the purpose of advancing a political, religious or ideological cause.

      (2) Action falls within this subsection if it:

      (a) involves serious violence against a person,
      (b) involves serious damage to property,
      (c) endangers a person's life, other than that of the person committing the action,
      (d) creates a serious risk to the health or safety of the public or a section of the public or
      (e) is designed seriously to interfere with or seriously to disrupt an electronic system

      Therefore, this ransomware and therefore the one who implemented it:
      1. Seeks to use threats to influence a section of the public (private citizens or business),
      2. Appears to be for advancing an ideological cause (Anonymous and/or its actions),
      3. Its actions threaten serious damage to property (frying a computer) and directly interferes with an electronic system (unlawful encryption of a system against the will of the user),
      4. Threatens to expose the victim's personal information, thereby putting their safety at risk

      Therefore, this fits the definition of a terrorist act.

      • njorl · 1031 days ago

        Putting aside objection to the notion of the legislature of one country controlling the definition of common English word, the Act requires 1b AND 1c AND (2a OR 2b OR 2c OR 2d OR 2e).

        1b is not true. The threats are not, as far as we know, being made against "a section of the public" (such as a religious group), nor against "the public"; rather the threats arrive to individuals whose systems have been infected at random.

        1c is not true. The purpose of the threat is extortion. If the threatened action is carried out, the purpose of this is strengthen further such threats. In neither case is the purpose that "of advancing a political, religious or ideological cause". If money is extorted, the money may, of course, be put to advancing any number of causes, but that is not the same thing.

  6. Ryan · 1033 days ago

    It's the ransom ware that tells the truth instead of the fake ones.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley