Computer Security New Variant of the Police/Ukash Ransomware Encrypts...

New Variant of the Police/Ukash Ransomware Encrypts Victim's Personal Files

ukash ransomware file encryptionOur ESG research team has come across a new variation of the Ukash ransomware or Ukash virus that utilizes a method to encrypt files and requires a code to decrypt them. This discovery is hot off of the heels of a small number of computer users reporting cases to us where the Ukash ransomware cannot be removed by their anti-spyware or anti-virus application. We have seen countless instances where aggressive malware threats have encrypted files, but the idea of a newer variation of the Ukash ransomware with encryption functionality on the loose shows that scammers are constantly devising more aggressive methods to achieve the next step in the evolution of scareware.

What is the Police/Ukash Ransomware?

The Police/Ukash Ransomware is one of the many emerging ransomware, which utilize aggressively worded notifications alleging that authorities from the FBI or other law enforcement agency have detected illegal activities, and the PC user must pay a fine through MoneyPak or Ukash legitimate online payment systems. These threats get the name 'ransomware' due to them commonly demanding a fine be paid while it locks up the infected computer claiming that it will unlock once the payment has been received. In the case of FBI Moneypak Ransomware and others, such as FBI Moneypak Ransomware, Reveton Ransomware and FBI Green Dot Moneypak Ransomware, they fail to unlock a system after the fine is paid. Basically, hackers on the front-end of these threats are in the business of collecting money and not providing any reprieve for doing so to the computer user.

Details on the Aggressive File-Encrypting Ukash Virus Variant

In our researchers' discovery of files being encrypted by the Police/Ukash ransomware, we found where the infection creates an archive of files with the '.als' extension. It is possible that the malware has evolved to merge files into a single structure and prevent access without a decryption code. The method of recovering the encryption key by comparing a pair of files and then using it to decrypt the 'locked' files has become an obsolete removal method with the newer variant of the Police/Ukash ransomware.

In the past, ransomware like the Police/Ukash ransomware were predictable where they would have occasionally locked up a system and then repeatedly scare users about watching porn and blocking programs from executing like the Task Manager. We have known for some time that common ransomware of this caliber claims that a PC user must pay a fee to unlock the computer but really never lives up to this promise. In the case of the Police/Ukash ransomware, payments are collected through Ukash or MoneyPak and the PC will supposedly receive a code to decrypt files that have been encrypted. Among the files encrypted we have found .jpg, .doc, .pdf and even .xls types.

The analysis of the file encryption taking place with this new variant of the Ukash ransomware will reveal new ctfmon.exe or svhost.exe processes spawned to inject its own code. Samples from the %TEMP% folder are actually executed to inject the code initially. Essentially, these actions will prevent manual removal and make many encrypted files unusable. In-all, the system will not stop working, but many third party applications will be broken to the point that they may no longer run.

CBS Investigates real-life computer ransom scam cases in the video below.

What to Do When Ransomware Encrypts Your Data?

Despite that there is little computer users can do to recover files after they have been affected by encryption from the new variant of the Police/Ukash ransomware, PC users may attempt to salvage their files by unplugging their system immediately when the warning message is displayed. By unplugging the system, it will prevent the malware from its continuation of encrypting other files. The encryption process takes time and interrupting it by unplugging the computer will keep some data intact, so it is not encrypted. The continuation of the encryption process will commence when the system is booted once again, but PC users at this point can take the necessary precautions by booting from an external drive or bootable media (CD or DVD with an operating system loaded).

Although the whole attempt to salvage unharmed files can be a bit complex, it is well worth it in the scheme of things considering how destructive the Ukash virus can be in its newer form. Another destructive ransomware family that has been detected in the past is called Gpcode. Gpcode generates an AES 256 bit key encryption that drops on the desktop of an infected computer. An older malware sample now detected by anti-spyware programs is called Trojan-Ransom.Win32.Gpcode.bn and behaves much like the newer variation of the Police/Ukash ransomware. It scans the hard drive for files to encrypt while the file extensions are used to determine whether a file is to be encrypted based on its type and if it is a configuration file or not.

Some samples of encrypted files were found to utilize fixed strings to generate an encryption key. The sample examined also sends requests along with the infected computer's ID to a command and control server to receive additional commands. It is possible that the file encryption actions later act like a botnet but generates a random key all masked by the ransomware message plastered across the computer's screen.

With this new variant on our hands, it is evident that the evolution of ransomware has taken place to birth a much more aggressive form. This new form, through file encryption, could be extremely destructive. ESG researchers are now delving deep into the structure and basis of this new ransomware to uncover additional details, which will assist us in protecting PC users from future threats of what appears to be a much more aggressive form of the Police/Ukash ransomware.

Loading...