Ransomware impersonates the Italian police

Ransomware targeting Italian-speaking users is being served from compromised websites via malicious JavaScript code, warns Total Defense’s Rossano Ferraris.

The users are lured to the websites and the malware is automatically downloaded and run. It immediately disables the Task Manager and compromises the Windows registry of the targeted machine, so that the malware runs every time the computer is restarted.

The users notice that something is wrong when the following warning pops up and they realize their computer has been blocked:

“The banner falsely represents an official message addressed to the user of the victim machine stating that the IP address of the machine has been confiscated because of its illegal hosting of content related to child pornography,” explains Ferraris. “Additionally the fake official banner states that the computer is also spreading illegal spam with terrorist intent.”

In order to unblock the computer, the user is advised to pay a 100 euro fine within the next 24 hours via Paysafe, Ukash or Sisal.

This is not the first time that a scheme like this has been perpetrated on European Internet users. Less than three months ago, German, Swiss, UK, Spanish and Dutch users were targeted with the same or similar malware, with a different HTML front end.

At the time, Microsoft has warned that even if the victims pay the requested fine, their action will not resolve their problem. Upon paying the fine, the users receive the unlocking code that does not work.