Browsers and Ransoms
We have already written about threats that can encrypt files or lock victims out of their computers in order to extract a ransom. Today I want to talk about yet another similar threat. It uses scare or nuisance tactics—similar to rogue antivirus programs—in an attempt to demand ransom from its victims.
Once infected with Trojan.Ransompage, a victim’s browser will display a persistent inline ad on every page that the victim visits. The ad will cover part of the original Web page, as shown below.
The ad will stay on the screen even if the page is scrolled:
This ad is written in Russian and states that in order to remove the ad (and to gain access a porn site) the victim must send a premium rate text message to the number provided, and the user will receive a code to remove the ad.
“If you installed an advertising module has been, but you have chosen to unsubscribe, you send the MC to short number specified below. Code allows you to remove the received news ticker.
1 Informer removed automatically after 30 days.
2 Free porn video archives.
3 Technical support service.
To remove the informer, send SMS message with text [5-digit number] to number [4-digit number].
Enter the code, received in response, MC“
Obviously this is very annoying ad and the victim may just decide to use a different browser. The malware author thought of this too (see below) and actually targets the following three browsers:
So switching to another targeted browser will not necessarily solve the problem. (Actually the code that the attacker uses is not compatible with the latest version of Firefox, so there is one easy escape at the moment.)
Similar to Trojan.Ransomlock and Trojan.Ransomcrypt, this Trojan attempts to make money by utilizing a premium rate telephone number. The premise is that the victim will become so frustrated or embarrassed by the ad that they will succumb to the pressure and send the SMS text message. This threat is also interesting from a technical point of view, so I will follow up with more details in another posting.