Ransomware is a threat that continues to grow in popularity with cybercriminals due to its success rate and monetary potential. In past blogs such as Rampant Ransomware we have discussed some different Ransomware variants and techniques. Now we have encountered yet another new variant identified as Trojan.Ransomlock.K.
While finding a new Ransomware variant is no real surprise, during analysis we found an active command-and-control (C&C) server login used by the threat.
Figure 1. Silent Locker Control Panel login
After further analysis and research we then identified a control panel known as the Silent Locker Control Panel which is freely available for download on the Internet and is being used in conjunction with the Trojan.Ransomlock.K threat.
Figure 2. Silent Locker Control Panel
The Silent Locker Control Panel, while in Russian, has some similar capabilities to other control panels we have seen in the past used in conjunction with such malware as Trojan.Zbot and Trojan.Spyeye. The opening screen, seen in Figure 2, above is used for tracking the number of successful infections.
Figure 3. Silent Locker Control Panel billing
The screen, seen in Figure 3 above, is used for tracking billing details such as country and date.
Figure 4. Silent Locker Control Panel picture select
Interestingly though, as seen in Figure 4 above, the control panel allows for a nifty little feature to choose which picture you want to display to your victim depending on their GeoIP location. This means when victim is infected with Trojan.Ransomlock.K it will contact the site hosting the control panel, and depending on the IP location, it will serve a different image to the victim. This allows the cybercriminals using the control panel to localize the social engineering to maximize the potential success rate of the scam. If just the default picture is chosen (as seen in Figure 4) the victim will be shown the screen as seen in Figure 5 below with a blank box and enter button.
Figure 5. Silent Locker Control Panel default picture
However, if the cybercriminals upload their own picture, such as the one seen below in Figure 6, the victims will be presented with localized social engineering requesting payment to protect the victim's system. This screen is the same one as presented in Figure 5, except it has a different background picture. The code behind the picture is the same, which allows the victim to make a payment through an e-commerce payment system which is then tracked in the Silent Locker Control Panel seen in Figure 3.
Figure 6. Silent Locker Control Panel uploaded picture
Malware and phishing crimeware kits using webpage control panels are commonly used by cybercriminals. This is nothing new and to be expected. We have not seen a Trojan builder for Trojan.Ransomware.k at t his time, but if it is anything like other crimeware kits sold on underground forums it is likely to have a Trojan Ransomware builder sold as part of the kit (containing a builder and control panel as seen with the now infamous Zeus and SpyEye crimeware kits).
As always we recommend to stay vigilant when presented with any alerts and to ensure you have your antivirus up to date to help protect against such threats.
Leave a reply