Sophos Cloud Optix
SophosLabs has received a number of disturbing reports from German computer users about a ransomware malware attack that is locking computer screens, and demanding payment of a fine.
Like other ransomware attacks, a message appears claiming to come from the police that says that evidence gathered proves that the computer has been used to view pornography involving minors.
Unlike most attacks, however, the warning message also includes images of the purported sexual abuse of children, along with the minors’ names, dates of birth and location.
Some of the images claim to be of girls as young as 13 years old. Obviously, we are unable to confirm if the people pictured in the images are as young as the bogus police warning message claims.
However old the people in the pictures really are (and some of them *do* look under-age), it’s easy to imagine how people who see what appears to be an official police warning, alleging that child porn websites have been accessed, and finding that their computer has been locked, could easily be scared into paying a fine to the cybercriminals behind this attack.
Naturally we have informed the authorities – including our colleagues at the Internet Watch Foundation – so they can work with their partners worldwide, and we have censored the images used in this article.
SophosLabs hasn’t received any reports of sightings of the ransomware from UK computer users, but if the webpage is visited from a UK IP address the message adjusts itself to pretend to come from the Metropolitan Police rather than the Bundeskriminalamt:
Your Personal Computer has been blocked
The work of your computer has been suspended on the grounds of unauthorised cyberactivity
All the illegal actions that you performed on this computer were recorded and classified in the Police Database. This also includes photos and videos that were taken by your web camera for further identification. You've been charged with viewing pornography that involves minors.
The computer’s IP address and internet service provider is also displayed, and in the corner of the screen can be seen a live video image from the computer’s webcam.
There have been a spate of attacks in the last year, where computer users have discovered their computers frozen by messages purporting to come from the police, and claiming to have gathered webcam evidence of who was using the computer at the time of the alleged offence.
Perhaps the most famous example of ransomware malware is Reveton, described by Paul Ducklin in the following great video:
Spanish police arrested more than a dozen members of a multi-national Reveton gang earlier this year.
Whether the latest ransomware impacting German computer users is related to Reveton is currently unclear, and malware experts at SophosLabs are continuing to investigate the attack. Sophos products have already been updated to block access to the offending website where the messages are displayed.
How to report online child abuse
If you have information about online child abuse that you wish to report to the authorities, visit the websites of the Virtual Global Taskforce, CEOP (the Child Exploitation and Online Protection Centre) and the IWF (Internet Watch Foundation) which provide a reporting mechanism.
Thanks to Dirk Kollberg and Paul Baccas of SophosLabs for their assistance with this article.
Dang.
I really hope those pictures are just girls who look underage, and aren't underage.
If they are underage then wow, that would be horrible. :/
It's horrible even if they are bordering on underaged. Being a day over or under doesn't make it right.
I'm in the US and I have a friend here who was a victim of this type of ransomeware. What was scary for her though was when she booted up her computer and got the message that said her computer was locked by the police for viewing child pornography, a picture of her husband then came up on the screen that had apparently been taken from her own webcam.
She was never able to get her computer and her documents back, and ended up having to buy a new computer and start over with everything.
Buy a new computer? Why not just re-image the old one?
Some of the more advanced ransom ware encrypts all content of a computer using PGP Public/Private key encryption for real. So without the correct private key its not possible to get the files back.
I think Joe was implying that the drive could be wiped (not recovering old files) and reinstalling the OS. New computer isn't really necessary. Even if for some odd reason you couldn't format the drive and reuse it, at very minimum only a new hard drive would be necessary.
I've fix them with out having to wipe the pc. Should have takin it to a professional had to be cheaper than a new machine
You don't say how this malware is transmitted. I'm not particularly malware savvy. Do you have to visit the website or does it turn up in an email or what? Cheers, Kathy
We’re still investigating that. It’s not the website with the offensive content that is infecting people – that appears to be where infected users are taken.
A friend of mine caught the virus from watching a football live-stream. He just HAD to reinstall the antivirus at the same time as a game.
This sort of attack works well on shared computers, because someone who hasn't been viewing said illegal content can't be sure nobody else has; among people who fall for it, it's bound to create distrust. But I wonder if it's at all effective on people who live alone. Even if I weren't already well aware of ransomware, if nobody but me had access to my computer and it started accusing me of something I know I didn't do, I'd immediately become suspicious. I imagine many people feel the same way.
I got hit with this yesterday morning, got round it myself by re booting in safe mode and restoring the system to the last restore point before this happened, worked a treat, so if you get hit, thats how you unlock your PC easily.
Ahh but with another issue, I tried to restore to an earlier restore point and 95% through restoring a message came up saying the restore failed and to try an earlier point.
This happened several times with each earlier point until I had to create a current restore point and restored from that!
Weird PC's
Wish we could simply go back to slabs and chisels, hieroglyphics and two tin cans and stretched string, LOL
Wouldn't surprise me that the same bozos that were responsible for the Stuxnet attack were the creators of this sickness.
Really? Do you know anything about stuxnet at all ? Maybe you are being sarcastic about something which I don't get ?
Last time I had a PC with this, I logged in a different user (I had to unlock the administrator account from dos with net user.) Under the second user the Pop up never occurred and I could remove it easily.
Another potential issue is just having those images cached on your computer can itself get you into serious trouble….
the amazing thing with these ransomware attacks is they do not need to "click to download" or "click to install" and they are not stopped by ie10 or norton, you just need to be on the infected website.
it then takes a safeboot or boot from cdrom to run a program like norton power eraser to get back into a pc not "jammed" by the warning page.
this is why most people get caught, it is not obvious how to clear the problem even if you notice the wording errors and lack of contact info (and of course the police would not give you a online fine for such downloads, it would be a 5am knock at the door!) as not only do you have to know how to run an av program as a boot up disc, but once back into the pc you need to run the installed one a couple more times to get rid of the other bits of it left on the system.
Disturbing most AV companies can't prevent Ransomware. And forget Safe mode, Safe Mode with networking, Safe mode with command prompt. The criminals upped their game by effectively blocking these modes. The irony is that removing ransomware manualy with a live cd is not so difficult.
Well, many if not most anti-viruses *can* prevent ransomware, at least for the most part. (There will always be some malware that gets through, especially if you aren't up to date, or haven't turned on the proactive parts of your anti-virus.)
And many anti-viruses companies, including Sophos, have cleanup CDs of the sort you mention. The Sophos one is called SBAV, for Sophos Bootable Anti-Virus.
If you watch the video in the article, it shows you the Reveton ransomware in action, it shows SBAV removing it automatically, and it shows a properly-configured Sophos Anti-Virus (SAV) blocking it proactively.
[The SBAV clip starts at about 1'47"; SAV appears at about 2'07".]
HtH.
My parents got hit with this variant recently whilst browsing as normal. I was away but they called me and were understandably disturbed by what they had seen. They got it removed eventually but it’s left them a bit concerned about security of personal data as the lock screen also referenced file locations on their computer.
Ransomware of this sort generally relies on malware running on your PC, which means the malware does have access to your hard disk and the files on it…
Whilst most ransomware of this sort I'm aware of just goes after your wallet, it's wise to "assume the worst" after an infection.
In particular, once you're sure you're clean, you may as well do a systematic change of passwords for the various online services you use, in case the crooks have been logging keystrokes…
"Some of the images claim to be of girls as young as 13 years old" … "Lisa xxx Birth date: 01-28-2001"
Graham, brush up on your arithmetic before you get yourself into trouble.
One positive result from these scary ransomware attacks is that is raises security and privacy awareness in the non tech savvy. That helps with the ongoing fight for privacy against the unnoticed abusers (Facebook, Google, Big Brother, etc.).