Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Ransomware Abusing Norton Logo

Created: 18 Jul 2013 17:39:12 GMT • Updated: 23 Jan 2014 18:05:24 GMT • Translations available: 日本語
Symantec Security Response's picture
+1 1 Vote
Login to vote

There are reports in the media of a particular ransomware, a type of malware, using the official Symantec Norton logo to dupe victims into believing the ransomware is verified by Symantec. This is a common social engineering technique used by malware authors to deceive victims. It is not the first time that a security company’s logo has being abused by ransomware.

Symantec detects this ransomware as Trojan.Ransomlock.Q and our IPS protection System Infected: Trojan.Ransomlock.Q will also detect its network activities.
 

image1_6.png

Figure 1. Trojan.Ransomlock.Q as seen by German users, note the Norton logo (image courtesy of Heise Online)
 

As always, for those affected by these scams—DO NOT PAY THE RANSOM. Instead, follow our removal steps and watch our removal instruction video.

The functionality and modus operandi of ransomware have not changed much over the years and while we’ve countless new designs from one variant to another, they do keep to a certain design convention and usually impersonate official institutions and legitimate security companies to obtain an air of authenticity.

When it comes to Trojan.Ransomlock.Q, (a.k.a., Urausy), the authors are known to be very active and constantly update their designs as the political landscape changes depending on which country is being targeted. They are indeed very crafty and keep up to date with the news. Interestingly they haven’t used the Symantec Norton logo in the Irish version.
 

Irish_ransomware_norton.png

Figure 2. Trojan.Ransomlock.Q as seen by Irish users