The ‘Linkup' malware was spotted by German-based security firm Emsisoft. In a 3 February blog, Emsisoft's Steve Nowicki describes how Trojan-Ransom.Win32.Linkup differs from earlier ransomware in that it doesn't lock the user out or encrypt their files.
Instead, it alters the user's DNS settings to stop them accessing the internet, and sends them to the ransomware site which displays a fake message from ‘the Council of Europe' suggesting they have been involved in accessing child pornography.
The software then demands a ransom of just one Euro cent and the user's personal data including credit card details. Meanwhile, it downloads a bitcoin mining botnet.
“Linkup represents a new approach to infection, which combines two known techniques - ransomware and bitcoin mining - to create one potent form of money-making malware,” Nowicki said.
Martyn Ruks, technical director at UK-based security research firm MWR InfoSecurity, said Lockup displays a level of deviousness in the way it is designed and operates.
He told SCMagazineUK.com: “This ransomware is using classic persuasion techniques of fear and authority to compel users into acting rashly and pay the demanded fee. The small amount should in fact raise suspicion, but by providing a far simpler way out of the implied threat of legal action, most users are likely to jump at the opportunity, opening themselves to further fraud.
“This sudden reaction is compounded by the removal of standard internet services, since the primary source of information and help about such problems is not only cut off, but each attempt to use it reinforces the implied threat.”
Ruks said that the payload to mine bitcoins means “even if the fraud aspect is unsuccessful, the attacker has already seen financial gain for the duration that the affected machine is running and compromised”.
A spokesperson for Emsisoft agreed that the software is devious and told SCMagazineUK.com: “While the ransomware is quite conspicuous, the Protominer (bitcoin miner) takes place in the background. This is almost similar to the psychological deception employed with Trojan rogues, where it looks like an anti-malware but is actually malware underneath - except with Linkup it's one type of malware distracting you from another.”
But Kevin O'Reilly, a senior consultant at UK security research firm Context Information Security, pointed to some weaknesses in Linkup. He said DNS hijacking is typically used to redirect victims to unwanted websites or search results or to prevent anti-virus software from updating, not to prevent internet access altogether.
“To deny all internet access completely is a more blunt use of such a method, and perhaps self-defeating as it may prevent the ability to make the online ransom payments the authors so obviously covet.”
O'Reilly added: “The bitcoin mining component of this malware may also be flawed in its conception. To make money from average PCs would require a huge number of them working in tandem for quite some time - which is perhaps a little optimistic on the part of malware which so obviously cripples a victim's machine.”
“The bottom line is the same as ever. Users should protect themselves by being cautious about what attachments they open, stay patched and up-to-date, and run a well-reputed and up-to-date anti-virus product.”
Linkup emerged shortly after the discovery of the Locker ransomware virus In December, itself a copycat of the notorious CryptoLocker malware which first appeared last September.
Linkup was discovered in the same week as European police agency Europol warned that ransomware has become a multi-million euro business. A report by Europol's EC3 (European Cybercrime Centre) and the Dutch National High Tech Crime Unit says ransomware has seen “exponential growth” in the European Union over the last two years, infecting millions of computers and forcing tens of thousands of citizens to pay ransoms.