Researchers at Trusteer have uncovered another twist to some ransomware that infects computers and demands payment, by claiming to be from the US Department of Justice.
Delivered along with financial malware, the ransomware is the latest example of a recent uptick in ransomware activity, security experts say.
A notorious malware platform targeting financial information has added a new trick to its portfolio – a digital version of hijack and ransom.
According to security firm Trusteer, the Citadel malware platform is delivering ransomware that hijacks victims’ computers. Ransomware works by restricting access to infected computer systems so that the attackers can extort payment in exchange for restoring access.
“This is another example of financial malware expanding beyond online banking fraud and being used as a launch pad for other types of cyber-attacks,” blogged Trusteer CTO Amit Klein. “Citadel is able to target employees to steal enterprise credentials, and in this example, targets victims directly to steal money from them, instead of their financial institution.”
Ransomware is hardly a new threat. However, this situation is another example of what some security researchers say is a recent uptick in ransomware activity. Jeff Wilhelm, senior analyst with Symantec Security Response, speculated that the upsurge may be due to some experimentation by attackers, who typically go where money is made the easiest.
“Ransomware is a pretty popular cyber-criminal tactic, though it still takes a backseat to such crimeware threats such as the Trojan.Zbot [Zeus],” he noted.
In April, researchers at Trend Micro reported on a piece ransomware that took the additional step of targeting the master boot record (MBR) to take control of a system.
“Last February, certain attackers compromised the Website of the French confectionery shop Ladurée to spread [ransomware],” Trend Micro Threat Response Engineer Cris Pantanilla blogged at the time. “Users who visited the said site when it was compromised ended up with systems infected with TROJ_RANSOM.BOV. This variant was found to display a notification that impersonates the French National Gendarmerie and demands payment from affected users. The people behind this attack have also impersonated police notifications from Italy, Germany, Belgium and Spain.”
“Though overshadowed by other more newsworthy threats, ransomware attacks are definitely not out of the picture,” he added.
In the case of the attack reported by Trusteer, victims are being lured to a drive-by download site and hit with a dropper that installs the Citadel malware. Citadel then retrieves the ransomware DLL from its command-and-control server, Klein explained.
“In order to unlock their computer, the victim is instructed to pay a $100 (£62) fine to the US Department of Justice using prepaid money card services,” he wrote. “The payment service options presented to the victim are based on the geographic location of their IP address. For example, users with US IP addresses must pay using MoneyPak or Paysafecard.”
Citadel also continues to operate on the compromised machine on its own, independent of the Reveton ransomware. A descendant of the Zeus Trojan, Citadel can be used by fraudsters to commit online banking and credit card fraud through man-in-the-browser, keylogging and other tactics, Klein noted.
“It is clear from this and similar attacks we have discovered recently that financial malware has achieved a technological level of sophistication which enables it to be used to carry out virtually any type of cyber-attack,” he wrote. “Through a combination of social engineering, data capturing and communication tampering, these attacks are being used by criminals to target applications, systems and networks belonging to financial institutions, enterprises, and government agencies in order to commit fraud or steal sensitive information.”
Think you know security? Test yourself with our quiz.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…