How-to: Identify the Troj/Urausy Ransom-ware infection [Guest Post]

Identify the Troj/Urausy Ransom-ware family
Acknowledging the risk of turning this into 'Security Theatre Monthly', the latest malware How-to concerns a particularly duplicitous item of malware; what we now call 'ransom-ware'.

This is a malicious trojan which purports to be from a law enforcement agency; variations include the FBI, Interpol and in this case, the UK Serious Organised Crime Agency.

All variants lock your Windows machine under the bogus claim that you have been traced pirating material on the Internet and all demand on-line payment of a 'fine' to 'unlock' your machine. DO NOT PAY ANYTHING. It is a SCAM.

No law enforcement agencies do this. There are no criminal charges, no court proceedings, so why would you pay a fine?
I really must get more tech-savvy friends, because this one bought me a laptop with the ludicrous Metropolitan British Police Serios Organised Crime Agency lock screen. With typos. Still, it must be official, it has a picture of HM the Queen on it. And the Met Police Commissioner. And some other police logos.

Also it has the most ludicrous covering text, headed "Your computer has been blocked up for safety reasons!" accusing the user of a multitude of serious, but non-specific offences, with penalties, none of which appears to be written by persons having English as a first language. The Interpol and FBI versions are just as bad.  

How does the SOCA Ransom-ware infect a machine?
Pretty much the same as all other mal-ware:
  • spam email containing infected attachments or links to malicious websites. Common spam emails with forged header information, trick you into believing that it is from a shipping company like DHL or FedEx, Amazon, a bank, a credit card company; click on the links or open attached files and you've just opened your browser to infection.
  • bogus updates for Adobe Flash Player, media players, codec packs or some other piece of software.
  • peer-to-peer file sharing websites where it is often packaged with pirated software, or worse, shareware and freeware.
What is the ransom-ware?
The FBI, Interpol and SOCA viruses belong to the Troj/Urausy Ransom-ware family. It has been kicking around since at least 2012, with frequently updated designs for the lock screen. Some versions of the virus have the ability to turn on your webcam and display what is happening in the room; a scary but utterly bogus piece of Big Brother pantomime.

Silently inserting itself as a program, the virus will lock you out of your computer and applications, and will display instead a lock screen asking you to pay a non-existing fine of 300 GBP, Euros or Dollars in the form of an MoneyPak, Ukash, Paysafecard or MoneyGram Xpress voucher. The malware’s authors use these payment services because transactions made through them cannot be reversed and are hard to trace.

Under no circumstance should you send any money via MoneyPak or MoneyGram Xpress; if you already have, request a refund, stating that you are the victim of a computer virus and scam. You may get a temporary un-lock, in which case these criminals will come back in another few weeks and scam you again. More likely, nothing will happen and your machine will remain locked.

You may find it also opens the door to other malware, so you will have multiple layers of threats infecting your machine.  

Removing Troj/Urausy Ransom-ware with Kaspersky Rescue Disk
The Troj/Urausy Ransom-ware is a well-developed piece of malware, but not all that sophisticated. It is also not very tidy, scattering code and registry entries across your machine under a number of aliases.

Fortunately, there are now several anti-malware suites that can take care of this evil little worm, with the advantage that the reported variants and their aliases are now catalogued and updated. While it is possible to remove it manually, I took one look at the infected laptop and decided a tool was the way to go.

On a recommendation from a several IT security folks, I opted to use Kaspersky Rescue Disk to perform a system scan to and clean the Windows registry to remove the virus.

Kaspersky is a reputable software security company that has been in the market for many years now; it provides a number of security tools, both free and paid. Kaspersky Rescue Disk is one of the free tools.

The How-to which follows shortly describes how to use the free Kaspersky Rescue Disk to zap not only the Troj/Urausy Ransom-ware, but many other types of malware as well. AJS

Allan J. Smithie is a journalist and commentator based in Dubai.
An ex-pat from the wintery North-East of the UK, self-confessed grumpy old git Smithie enjoys sunshine and arguing, over a drop of something bad for you.