This variant is one of the earliest active police Ransomware families, which Symantec has been tracking since at least July, 2011. The Trojan was distributed using drive by download techniques, in conjunction with the Black Hole exploit kit. Early versions of the locking screen were quite primitive but quickly evolved as the author obviously stole design ideas from other Ransomware gangs as shown in Figure 1.
Figure 1. Early design of Trojan.Ransomgerpo and a more recent, sophisticated style. (The most recent image was kindly provided by Kafeine from botnets.fr)
The Trojan, as Figure 1 implies, initially focused on German individuals, but in later months began to target other countries, primarily the USA. The total set of targeted countries is shown in Figure 2 and a graph of the Trojan’s activity is shown in Figure 3.
Figure 2. Trojan.Ransomgerpo infection map
Figure 3. Infection activity over time
The attackers clearly operated in bursts, distributing the Trojan irregularly over time.
Symantec, as well as several other security companies and researchers, contributed information to law enforcement regarding this particular Trojan and are delighted that an arrest has been made. Symantec will continue to cooperate with law enforcement to ensure that cyber criminals are brought to justice.
For more information on Police Ransomware, see our research paper which investigates over sixteen different Ransomlock families.