Ransomware is a threat that continues to grow in popularity with cybercriminals due to its success rate and monetary potential. In past blogs such as Rampant Ransomware we have discussed some different Ransomware variants and techniques. Now we have encountered yet another new variant identified as Trojan.Ransomlock.K.
While finding a new Ransomware variant is no real surprise, during analysis we found an active command-and-control (C&C) server login used by the threat.
Figure 1. Silence Locker Control Panel login
After further analysis and research we then identified a control panel known as the Silence Locker Control Panel which is freely available for download on the Internet and is being used in conjunction with the Trojan.Ransomlock.K threat.
Figure 2. Silence Locker Control Panel
The Silence Locker Control Panel, while in Russian, has some similar capabilities to other control panels we have seen in the past used in conjunction with such malware as Trojan.Zbot and Trojan.Spyeye. The opening screen, seen in Figure 2, above is used for tracking the number of successful infections.
Figure 3. Silence Locker Control Panel billing
The screen, seen in Figure 3 above, is used for tracking billing details such as country and date.
Figure 4. Silence Locker Control Panel picture select
Interestingly though, as seen in Figure 4 above, the control panel has a nifty little feature that allows the cybercriminals to choose the picture they want to display to the victim, depending on their GeoIP location. This means when a victim’s computer is infected with Trojan.Ransomlock.K it will contact the site hosting the control panel, and depending on the IP location of the compromised computer, it will serve a different image. This allows the cybercriminals using the control panel to localize the social engineering lure to maximize the potential success rate of the scam. If just the default picture is chosen (as seen in Figure 4) the victim will be shown the screen as seen in Figure 5 below with a blank box and enter button.
Figure 5. Silence Locker Control Panel default picture
However, if the cybercriminals upload their own picture, such as the one seen below in Figure 6, the victims will be presented with localized social engineering requesting payment to protect the victim's system. This screen is the same one as presented in Figure 5, except it has a different background picture. The code behind the picture is the same, which allows the victim to make a payment through an e-commerce payment system which is then tracked in the Silence Locker Control Panel seen in Figure 3.
Figure 6. Silence Locker Control Panel uploaded picture
Malware and phishing crimeware kits using webpage control panels are commonly used by cybercriminals. This is nothing new and to be expected. We have not seen a Trojan builder for Trojan.Ransomlock.K at this time, but if it is anything like other crimeware kits sold on underground forums it is likely to have a Trojan Ransomware builder sold as part of the kit (containing a builder and control panel as seen with the now infamous Zeus and SpyEye crimeware kits).
As always we recommend to stay vigilant when presented with any alerts and to ensure you have your antivirus up to date to help protect against such threats.