The big, fake, Anonymous ransomware

Do you remember the case of the Anonymous OS proposed during last months?

Who developed that OS and why?

Difficult to say, maybe law enforcement to track members of the collective or someone else that desired to benefit of the popularity of the group to exploit a large number of users.

A similar case has emerged recently, the Swiss security blog abuse.ch has revealed to have found ransomware currently circulating in the wild infecting many Windows users.

The singular features of the malware is that the authors have used the Anonymous name to spread the agent, it’s clear the intent to discredit the collective.

The attacks to Anonymous brand are not new, recently a twitter account named @FawkesSecurity posted a threat to bomb a government building but Anonymous promptly denied with the following post:

“Anonymous is not a terrorist organization. Anonymous does not use bombs. Anonymous does not condone violence in any way. Anonymous supports justice and universal equal rights. We support peaceful protest.”

Returning to the malware, it doesn’t presents any particular features, it’s a Ransomware that once infected the victim prevents the access to the owners demanding a ransom paid to the creator of the malware in order for the restriction to be removed.

The malware request 100 € to provide access again to the computer and restore its original condition, the paternity of the ransomware is attributed to Anonymous by the following message:

“We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us. Tango down!

Your computer has been hacked by the Anonymous Hackers Group and locked for the moment. All files have been encrypted. You need to pay a ransom of £100 within 24 hours to restore the computer back to normal. If the ransom is not paid on time all the contents of your computer will be deleted and all your personal information such as your name, address, D.O.B, etc. will be published online, after this has been done the processor, ram and motherboard will be fried. Any attempts to remove this virus will result in the consequences mentioned.”

It does not end here, the malware also threatens to delete files and to publish on-line personal information, in the event of non-payment of ransom within 24 hours.

A further fake information is spread on the malware, rumors announce that malware is able to turn the computer in a bomb overclocking the system.

The malware has a size of 47.0 KB and 28 out of 44 Antivirus are currently able to detect and neutralize it according VirusTotal report.

“The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.

The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.”

 

The malware is distributed using drive-by downloads and black-hole exploit kits, user must be aware on what  he download possibly from legitimate sources, as usual the primary suggestion is to keep the computer security systems updated and operative.

Despite the threat related to the malware is considerable low I prefer to analyze the phenomenon of a different perspective trying to image who has developed the agent.

I totally exclude any government or security agency, the malware is really to simple and the idea to muddy the Anonymous brand in this way is very stupid. The case is totally different from the diffusion of the fake OS, I bet on a group of cyber criminals that has modified an instance of existing malware pulling the ball to the famous group of hacktivists.

Pierluigi Paganini

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

5 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

11 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

23 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.