Surprise "fake FBI extortion", fictitious crime ransomware
Recently, Baidu security lab has discovered a series of ransomware viruses named "pseudo-FBI extortion" and their latest variants. The series of viruses will monitor users' running programs, display fake FBI notices, and trick users into paying a 300 USD penalty to unlock their mobile phones. Users cannot use any other programs, seriously affecting users' normal use. According to the changes of the virus, the virus manufacturer is still creating new variants and adding more harmful means.
The Device Manager activation interface is frequently popped up with the "pseudo-FBI blackmailed" virus, which forces the interface to be on the top. Users cannot use other programs unless they pay the so-called $300 "penalty. Its latest variant adds the mobile phone number to be displayed on the ransom interface, and enables the front camera on the Payment interface to intimidate users. what's even more frightening is that, the virus encrypts all photos, videos, documents, and other files on the mobile phone. Even if the virus is forcibly deleted, it may still cause irreparable losses.
The virus process is as follows:
1. The device manager must be activated when it is opened, disguised as a commonly used software.
2. After activation, the FBI announcement is displayed, prompting users to infringe and asking users to pay fines.
3. prompt the user to pay a penalty of $300 to unlock the device.
The latest version adds the following behavior:
1. Add phone numbers, signature stamps, and other information on the scam homepage to increase authenticity:
2. Add a front camera image on the payment page to intimidate the attacker.
3. encrypt all images, videos, pdf files, and other files on the mobile phone:
Ii. virus code analysis:
1. Send user country, imei, and other information to the C & C Server:
2. encrypt user files. The virus encrypts files in the following format, which may cause irreparable losses:
Encrypt files in the above format
3. the user is prompted to activate the Device Manager, which cannot be directly uninstalled after activation.
4. Set up a scheduled task to detect running programs. If the current program is not a hacker virus program, close the current program and start the hacker program.
5. After the penalty is successfully paid, stop the background service, cancel the activation of the Device Manager, and delete the virus program of the extortion hacker.