And Here Comes The NSA-Themed Ransomware

from the featuring-scary-logos,-acronyms-and-third-party-money-services dept

It was only a matter of time before this happened. The latest government agency to have its name and logo splashed across some clumsy ransomware is none other than everyone's least favorite intelligence agency, the NSA. This ransomware specifically mentions the NSA's preferred web data harvester and interceptor, PRISM, in its shake down of users who snag the triplines of malware-infested websites. (via)

While many individuals are concerned about privacy in light of PRISM, some malicious actors are using the program to scare naive users into installing ransomware. Since August 23rd, we have seen about 20 domains that carry FakeAV and Ransomware. These websites seem to have been hijacked. They are all hosting the malicious content over port 972 and use similar URL patterns. Here are a couple examples:

kringpad.websiteanddomainauctions.com:972/lesser-assess_away-van.txt?e=20
miesurheilijaaantidiabetic.conferencesiq.com:972/realism_relinquish-umbrella-gasp.txt?e=21
squamipi.worldcupbasketball.net:972/duty_therefore.txt?e=21


The malicious files seem to be changing. It started with the classic FakeAV, then switched to a fake PRISM warning. In both cases, the goal is to scare the target into paying the attacker to "fix" their computer.
Preying on vague, unverifiable fears is what ransomware specialists do best. These particular criminals started out by pushing Fake AV [not its real name], which would return "reports" stating the unfortunate user's computer was literally overrun with viruses. In exchange for perfectly good money, the software would rid itself of problems the user never had while inserting other malware and spybots.

But nothing makes money like topical fears, especially for users who are only slightly aware of the NSA scandal and have picked up just enough knowledge to be dangerous… to themselves. A quick read of the ransomware screen should alleviate the fears of anyone halfway familiar with nefarious web tactics, but the uninitiated may be scared enough to just start throwing money at the screen.




In addition to throwing as many official logos as it can at the user, the lockscreen also dumps a large number of scary looking (and eerily misspelled) words onto the screen for good measure. If the misspellings don't tip the user off, chances are they won't question why the government would essentially take a lowball bribe of $300 rather than prosecute them and pursue a "mandatory term of imprisonment for 6 month to 10 years [all sic]" and a $250,000 fine.

This will presumably be an effective tactic even if the NSA is no longer considered newsworthy by the mainstream media. Users who are cowed by a handful of logos probably aren't going to be tuned into the nuances of these various federal agencies. But the point that should be driven home to every user is that no federal agency is going to allow you to buy your way out of a serious criminal charge and very definitely won't be collecting fines through third-party services.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: nsa, prism, ransomware, scams


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Keroberos (profile), 20 Sep 2013 @ 4:03pm

    Re:

    How do you remove this virus?--You can use one of several boot disk anti-virus scanners. How can you get this virus?--By visiting a website that has been coded to deliver it through any software vulnerability it discovers in the web browser or plug-ins that you have installed. The infecting website can even be a perfectly legit one that has been hacked. The best defense is to keep your OS and anti-virus up to date, keep your firewall on, and disable auto-loading of scripts and plug-ins in your browser. And for Bog's sake if you have Java installed on your system--uninstall it--unless you absolutely need it to run something (and if that were me I would look for an alternative, or do without).

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.