Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Romanian ransomware server brought down

BitDefender UK : 31 January, 2014  (Technical Article)
Bitdefender analysts examine ransomware server in Romania discovering over 10000 successful Trojan installs in the UK
Romanian ransomware server brought down

Bitdefender has revealed that at least 10,331 successful installs of ICEPOL Trojan Ransomware took place in the UK last year.

Bitdefender’s Cybercrime Investigation Unit analysed the disk images of the servers used to distribute ICEPOL Trojan in cooperation with the Romanian National Police. The servers, located in Bucharest, Romania, were seized by the authorities, and the information retrieved was analysed together with Bitdefender as part of a technical cooperation program.

In the timeframe analysed by Bitdefender – between 1st May and 26th September 2013, the server had logged 267,786 successful installs of ICEPOL Trojan Ransomware. The USA and Germany were most affected by the infections with 42,409 and 31,709 installs respectively. Bitdefender warns, however, that the overall number of machines infected worldwide is likely to be even higher, as this server was one of dozens distributing ICEPOL Trojan, and the analysed network continued to operate after this particular server was taken offline for study purposes.

The ICEPOL Trojan extorted victims who downloaded it by sending them a message in any one of 25 languages purporting to be from police accusing them of downloading copyrighted material or illegal pornography. It then locked their desktop and demanded a payment in return for unlocking it.

Catalin Cosoi, Chief Security Strategist at Bitdefender, states, “As our analysis demonstrates, the criminal underworld seems to have developed malware distribution networks (MDNs), which work much in the same way as legitimate CDNs, even down to the money-making referral and syndication schemes.”

“The results of the investigation of the ICEPOL Ransomware are based on the cooperation with several law enforcement agencies and third party vendors,” adds the head of the Service for Countering Cyber Criminality within the Romanian National Police. “We will continue fighting cybercrime even though the lack of jurisdiction when involving other areas sometimes slows things down.”

The component responsible for registering malware distribution domains, called xstats, generated domain names on demand, by linking four words from a dictionary containing 551 pornography-related words. The IP address of the new host was then chosen from a list of 45 unique IP addresses.

The pay-per-click module, named tds, simply redirects incoming traffic to a list of domains, presumably paying advertisers or other trojan distribution sites. The traffic is directed according to an administrator-set list of filter rules, such as country of origin, operating system, browser type or maximum number of clicks allowed. Bitdefender’s analysis found that some of the traffic originated from several pornographic websites, in a so-called traffic exchange scheme.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo