When we saw the adjacent sign at a small-town, independent IT service company called The Computer Shop, in Carlisle, Pa (north eastern USA for those who need a geographical help!) we couldn’t resist the urge to go inside and get the “street-level” view of the recent surge of “FBI” ransomware.
We spoke to a store employee Ken who said that the ransomware surge had started in mid-summer about the same time as we did our analysis linked to above.
Store technicians had been cleaning the “FBI” ransomware from computers for about six customers each month, he said. Some customers had had the good sense to check with the shop before paying the “fine” demanded by the malcode.
The computer store charged $35-80 (US) to use anti-virus and other repair software to remove the malcode, he said. Some machines were found to be infected with several pieces of malcode and required more work than others.
The rash of “FBI” ransomware infections – often downloaded by the Blackhole exploit kit users – followed a surge of fake AV infections the store had seen last year and in the winter, he said.
If six cases of the “FBI” ransomware each month seem insignificant, consider that this is just one of several computer repair shops in a rather small town of 20,000 people.
“FBI” ransomware page design variations
The “FBI” ransomware pages, frequently delivered by operators using the Blackhole exploit kit, continues to change or show a variety of designs from independent sources.
Certainly there is more than one operator behind these. What is common is the concept of locking up a victim’s machine, displaying a page claiming to be the work of a law-enforcement or digital-rights agency and demanding payment of a “fine” through an untraceable payment system.
The schemes that the Web Threats Research group has been seeing lock up a victim’s computer and demand a “release fee” (ransom) of $200 through the untraceable Green Dot MoneyPak system. Paying the money does not result in the restoration of the machine.
We have seen similar schemes display ransomware pages that claim to be from the US Department of Justice, the Metropolitan Police in the UK, the GVU (Gesellschaft zur Verfolgung von Urheberrechtsverletzungen) in Germany and GEMA (Gesellschaft für musikalische Aufführungs- und mechanische Vervielfältigungsrechte) also in Germany.
The GVU is an association that tries to enforce motion picture, music and software copyright infringement laws and GEMA is a performance rights organization.
The malware behind the ransomware checks for the victim’s location and presents a page that claims to be from an appropriate police force or enforcement group.
Below are four designs currently circulating in the US.