Yes, it does. And depending on where you are located, it can even speak in your mother tongue.
As discussed in our paper Police Ransomware Update, the people behind police Trojan/Ransomware have implemented improvements to make this threat more effective. Gone are the days when ransomware simply showed a message that users’ systems are “captured” and that they have to pay for a fee to have them back.
These days, this new breed of ransomware notifies users of the fee (or ransom) under the guise of the victim’s local law enforcement agencies. Thus, a user with a ransomware-infected system from France will get a notification from the Gendarmerie Nationale, while a US-based one will likely receive a message from the FBI.
To level up the ante, we received a report that a new police Trojan variant even has a “voice”. Detected as TROJ_REVETON.HM, it locks the infected system but instead of just showing a message, it now urges users to pay verbally. The user won’t need a translator to understand what the malware is saying – it speaks the language of the country where the victim is located.
From a threat previously limited to Russia, ransomware has now leaped to other European countries, the United States and Canada. Because of the payment method ransomware employs, specifically electronic cash like Ukash, PaySafeCard and MoneyPak, the people behind this threat generate profit from it but with the benefit of having a faint money trail. Because of this, the gangs profiting from this malware can hide their tracks easily. To know more about ransomware, below are some of the posts we’ve published about this malware:
- Police Ransomware Bears Fake Digital Signature
- New Ransomware Plays Its Victims an Audio File, Over and Over and Over.
- Police Ransomware: How to Get Your Malware Noticed
TROJ_REVETON.HM, unfortunately, is possibly just the tip of the iceberg. It’s not a stretch to say that we can expect further improvements for this malware: possibly a singing ransomware in the near future?
Trend Micro Smart Protection Network protects users from this threat by detecting and deleting ransomware variants if found in the user’s sytem. As an added precaution, users should refrain from downloading files from unknown URLs or from opening file or links contained in dubious-looking email messages.
With additional analysis from Threat response engineer Jason Pantig
Leave a reply