Ransomware scares victims with child sex abuse images

Ransomware scares victims with child sex abuse images

SophosLabs has received a number of disturbing reports from German computer users about a ransomware malware attack that is locking computer screens, and demanding payment of a fine.

German ransomware lock screen

Like other ransomware attacks, a message appears claiming to come from the police that says that evidence gathered proves that the computer has been used to view pornography involving minors.

Unlike most attacks, however, the warning message also includes images of the purported sexual abuse of children, along with the minors’ names, dates of birth and location.

Some of the images claim to be of girls as young as 13 years old. Obviously, we are unable to confirm if the people pictured in the images are as young as the bogus police warning message claims.

Ransomware page visited from UK IP address

However old the people in the pictures really are (and some of them *do* look under-age), it’s easy to imagine how people who see what appears to be an official police warning, alleging that child porn websites have been accessed, and finding that their computer has been locked, could easily be scared into paying a fine to the cybercriminals behind this attack.

Naturally we have informed the authorities – including our colleagues at the Internet Watch Foundation – so they can work with their partners worldwide, and we have censored the images used in this article.

SophosLabs hasn’t received any reports of sightings of the ransomware from UK computer users, but if the webpage is visited from a UK IP address the message adjusts itself to pretend to come from the Metropolitan Police rather than the Bundeskriminalamt:

Your Personal Computer has been blocked

The work of your computer has been suspended on the grounds of unauthorised cyberactivity

All the illegal actions that you performed on this computer were recorded and classified in the Police Database. This also includes photos and videos that were taken by your web camera for further identification. You've been charged with viewing pornography that involves minors.

The computer’s IP address and internet service provider is also displayed, and in the corner of the screen can be seen a live video image from the computer’s webcam.

There have been a spate of attacks in the last year, where computer users have discovered their computers frozen by messages purporting to come from the police, and claiming to have gathered webcam evidence of who was using the computer at the time of the alleged offence.

Perhaps the most famous example of ransomware malware is Reveton, described by Paul Ducklin in the following great video:

Spanish police arrested more than a dozen members of a multi-national Reveton gang earlier this year.

Whether the latest ransomware impacting German computer users is related to Reveton is currently unclear, and malware experts at SophosLabs are continuing to investigate the attack. Sophos products have already been updated to block access to the offending website where the messages are displayed.

How to report online child abuse
If you have information about online child abuse that you wish to report to the authorities, visit the websites of the Virtual Global Taskforce, CEOP (the Child Exploitation and Online Protection Centre) and the IWF (Internet Watch Foundation) which provide a reporting mechanism.

Thanks to Dirk Kollberg and Paul Baccas of SophosLabs for their assistance with this article.