Linkup , the ransomware that blocks Internet access and mines Bitcoin

Emsisoft has detected a new variant of malware dubbed Linkup (Trojan-Ransom.Win32.Linkup), it is ransomware that blocks Internet access and mines Bitcoin.

Emsisoft has detected a new variant of malware dubbed Linkup (Trojan-Ransom.Win32.Linkup), it is ransomware presenting a singular behavior. Usually a ransomware locks victim’s computer or encrypts files requesting the payment of a ransom to unlock it, but Linkup blocks the Internet access by modifying the DNS settings and includes the ability to mine Bitcoin.

Once Linkup has infected the system, it replicated itself and disables the Windows Security and Firewall services to advantage the infection process. The malware changes the DNS setting, the poisoned DNS servers will allow the access to the Internet only to the malicious code, blocking any other connection.

“Once the Linkup Trojan has been executed, it makes a copy of itself in the%AppData%\Microsoft\Windows directory named svchost.exe, a fake name meant to mimic a normal file on your computer, which is located in %windir%\system32. To mark its presence in the system, Linkup creates a mutex named tnd990r or tnd990s. We have also found that Linkup will actually disable selected Windows Security and Firewall services to facilitate infection.” states the official post.” To redirect every single DNS request, Linkup also makes several changes in the Windows registry, including modifying the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%interfaceGUID%

```
"NameServer" = "127.0.0.1"
```

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%interfaceGUID%

```
"DhcpNameServer" = "127.0.0.1"
```

As usual the ransomware adopts social engineering tactics to deceive the victims and persuade them to pay the ransom, Linkup displays a bogus notification supposed to be from the Council of Europe on the victim’s PC, that accuses victim of viewing “Child Pornography” contents and requesting for the payment of a 0.01 Euro to unlock Internet access. Another concerning fact is that Linkup ransomware allow the payments by credit card, requesting for the operation also user’s personal information. In time I’m writing it is not confirmed the malware restore the Internet connection after the payment of the requested amount of money,

The malware blocks the Internet access allowing only the download of a component that allow the machine to join a Bitcoin mining botnet.

“This combination of ransomware and Bitcoin mining is a new and fascinating development. At this point, however, its functionality is still quite limited as the downloaded jhProtominer only works on 64-bit operating systems. In time, it will be interesting to see if Linkup is modified to download more flexible variants.”

Of course, if you have been infected, don’t pay the ransom!

Pierluigi Paganini

(Security Affairs – Linkup ransomware, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.