Emsisoft has detected a new variant of malware dubbed Linkup (Trojan-Ransom.Win32.Linkup), it is ransomware presenting a singular behavior. Usually a ransomware locks victim’s computer or encrypts files requesting the payment of a ransom to unlock it, but Linkup blocks the Internet access by modifying the DNS settings and includes the ability to mine Bitcoin.
Once Linkup has infected the system, it replicated itself and disables the Windows Security and Firewall services to advantage the infection process. The malware changes the DNS setting, the poisoned DNS servers will allow the access to the Internet only to the malicious code, blocking any other connection.
“Once the Linkup Trojan has been executed, it makes a copy of itself in the
%AppData%\Microsoft\Windowsdirectory namedsvchost.exe, a fake name meant to mimic a normal file on your computer, which is located in%windir%\system32. To mark its presence in the system, Linkup creates a mutex namedtnd990rortnd990s. We have also found that Linkup will actually disable selected Windows Security and Firewall services to facilitate infection.” states the official post.” To redirect every single DNS request, Linkup also makes several changes in the Windows registry, including modifying the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%interfaceGUID%
"NameServer" = "127.0.0.1" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%interfaceGUID% "DhcpNameServer" = "127.0.0.1"
As usual the ransomware adopts social engineering tactics to deceive the victims and persuade them to pay the ransom, Linkup displays a bogus notification supposed to be from the Council of Europe on the victim’s PC, that accuses victim of viewing “Child Pornography” contents and requesting for the payment of a 0.01 Euro to unlock Internet access. Another concerning fact is that Linkup ransomware allow the payments by credit card, requesting for the operation also user’s personal information. In time I’m writing it is not confirmed the malware restore the Internet connection after the payment of the requested amount of money,
The malware blocks the Internet access allowing only the download of a component that allow the machine to join a Bitcoin mining botnet.
“This combination of ransomware and Bitcoin mining is a new and fascinating development. At this point, however, its functionality is still quite limited as the downloaded jhProtominer only works on 64-bit operating systems. In time, it will be interesting to see if Linkup is modified to download more flexible variants.”
Of course, if you have been infected, don’t pay the ransom!
(Security Affairs – Linkup ransomware, malware)
A new round of the weekly Security Affairs newsletter has arrived! Every week, the best…
Fintech firm Figure confirmed a data breach after hackers used social engineering to trick an…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in BeyondTrust RS and…
A new alleged Russia-linked APT group targeted Ukrainian defense, government, and energy groups, with CANFAIL…
A new threat actor, UAT-9921, uses the modular VoidLink framework to target technology and financial…
Attackers quickly targeted BeyondTrust flaw CVE-2026-1731 after a PoC was released, enabling unauthenticated remote code…
This website uses cookies.
