Ransomware manufactures evidence of illicit site browsing

Kovter malware redirects victim's browser to a randomised adult website before locking computer

Tags: Damballa (www.damballa.com/)
  • E-Mail
Ransomware manufactures evidence of illicit site browsing The Kovter malware tries to shame its victims into silently paying a ‘ransom' (Malware Don't Need Coffee)
By  Tom Paye Published  May 18, 2014

A new type of ransomware that can manufacture evidence of visiting illicit websites has been gaining traction recently, with infections relating to it doubling over the past month, according to security firm Damballa.

The Kovter malware tries to shame its victims into silently paying a ‘ransom'. Like other types of ransomware, Kovter takes control of a victim's computer, displaying a message that the victim has broken the law. The victim is then told to pay a fine to regain normal use of the computer.

Where Kovter is different, however, is that it scans victims' browsing history for adult websites and the associated cached content, which it then presents on a splash screen while locking the computer. If no illicit browsing history can be found, the malware will manufacture ‘evidence' by redirecting the victim's browser to a randomised adult website, which it logs and retrieves content to display.

The malware family has even been known to retrieve and display child pornography content, according to Gina Pimentel, a Damballa threat researcher.

"Many ransomware families capture and display system and user information to legitimise allegations of a ‘crime'. Kovter takes this to an extreme," she said.

The ransom splash screen displayed by Kovter is designed to appear as it was set up by law enforcement agencies. According to the Malware Don't Need Coffee blog, there are separate designs for the US (pictured), Germany, Spain, France, Great Britain, Italy, the Netherlands and Turkey.

The ‘ransom' asked by Kovter is typically $300, Pimentel explained. In the US, Kovter uses the pre-paid card MoneyPak as the payment method of choice, and Ukash and PaySafeCard are used for victims in other locations.

"These payment methods give attackers untraceable, readily accessible funds in electronic cash with no red tape," she said.

Pimentel added that it was important to note that paying the ransom would not remove the malware from an infected system, or restore the computer functionality.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code