Linkup , the ransomware that blocks Internet access and mines Bitcoin

Pierluigi Paganini February 08, 2014

Emsisoft has detected a new variant of malware dubbed Linkup (Trojan-Ransom.Win32.Linkup), it is ransomware that blocks Internet access and mines Bitcoin.

Emsisoft has detected a new variant of malware dubbed Linkup (Trojan-Ransom.Win32.Linkup), it is ransomware presenting a singular behavior. Usually a ransomware locks victim’s computer or encrypts files requesting the payment of a ransom to unlock it, but Linkup blocks the Internet access by modifying the DNS settings and includes the ability to mine Bitcoin.

Once Linkup has infected the system, it replicated itself and disables the Windows Security and Firewall services to advantage the infection process. The malware changes the DNS setting, the poisoned DNS servers will allow the access to the Internet only to the malicious code, blocking any other connection.

“Once the Linkup Trojan has been executed, it makes a copy of itself in the%AppData%\Microsoft\Windows directory named svchost.exe, a fake name meant to mimic a normal file on your computer, which is located in %windir%\system32.  To mark its presence in the system, Linkup creates a mutex named tnd990r or tnd990s. We have also found that Linkup will actually disable selected Windows Security and Firewall services to facilitate infection.” states the official post.” To redirect every single DNS request, Linkup also makes several changes in the Windows registry, including modifying the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%interfaceGUID%
  • "NameServer" = "127.0.0.1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%interfaceGUID%
  • "DhcpNameServer" = "127.0.0.1"

As usual the ransomware adopts social engineering tactics to deceive the victims and persuade them to pay the ransom, Linkup displays a bogus notification supposed to be from the Council of Europe on the victim’s PC, that accuses victim of viewing “Child Pornography” contents and requesting for the payment of a 0.01 Euro to unlock Internet access. Another concerning fact is that Linkup ransomware  allow the payments by credit card, requesting for the operation also user’s personal information. In time I’m writing it is not confirmed the malware restore the Internet connection after the payment of the requested amount of money,

 

Linkup ransomware locker-page

The malware blocks the Internet access allowing only the download of a component that allow the machine to join a Bitcoin mining botnet.

This combination of ransomware and Bitcoin mining is a new and fascinating development. At this point, however, its functionality is still quite limited as the downloaded jhProtominer only works on 64-bit operating systems. In time, it will be interesting to see if Linkup is modified to download more flexible variants.

Of course, if you have been infected, don’t pay the ransom!

Pierluigi Paganini

(Security Affairs –  Linkup ransomware, malware)



you might also like

leave a comment