Surprise "fake FBI extortion", fictitious crime ransomware

Source: Internet
Author: User

Surprise "fake FBI extortion", fictitious crime ransomware
Recently, Baidu security lab has discovered a series of ransomware viruses named "pseudo-FBI extortion" and their latest variants. The series of viruses will monitor users' running programs, display fake FBI notices, and trick users into paying a 300 USD penalty to unlock their mobile phones. Users cannot use any other programs, seriously affecting users' normal use. According to the changes of the virus, the virus manufacturer is still creating new variants and adding more harmful means.


I. Overview:


The Device Manager activation interface is frequently popped up with the "pseudo-FBI blackmailed" virus, which forces the interface to be on the top. Users cannot use other programs unless they pay the so-called $300 "penalty. Its latest variant adds the mobile phone number to be displayed on the ransom interface, and enables the front camera on the Payment interface to intimidate users. what's even more frightening is that, the virus encrypts all photos, videos, documents, and other files on the mobile phone. Even if the virus is forcibly deleted, it may still cause irreparable losses.


The virus process is as follows:

1. The device manager must be activated when it is opened, disguised as a commonly used software.




2. After activation, the FBI announcement is displayed, prompting users to infringe and asking users to pay fines.



3. prompt the user to pay a penalty of $300 to unlock the device.






The latest version adds the following behavior:

1. Add phone numbers, signature stamps, and other information on the scam homepage to increase authenticity:




2. Add a front camera image on the payment page to intimidate the attacker.



3. encrypt all images, videos, pdf files, and other files on the mobile phone:





Ii. virus code analysis:

1. Send user country, imei, and other information to the C & C Server:




2. encrypt user files. The virus encrypts files in the following format, which may cause irreparable losses:

Encrypt files in the above format


Encryption Code



3. the user is prompted to activate the Device Manager, which cannot be directly uninstalled after activation.




4. Set up a scheduled task to detect running programs. If the current program is not a hacker virus program, close the current program and start the hacker program.




5. After the penalty is successfully paid, stop the background service, cancel the activation of the Device Manager, and delete the virus program of the extortion hacker.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.