A malware host had been seized by the Romanian police in September 2013. Hard drive images were given to Romanian security firm BitDefender, and have since recently been reviewed, giving information into both the malware it spread and the method and reach from the malware distribution network.
The spreading method the coders utilized, states BitDefender, “suggests a pyramid scheme, as the analyzed server downloads files from the another domain but functions, itself, as a malware download location for sub-affiliates.” In the five months before the September seizure, this server logged 267,786 successful installs of the malware, with most of them in the US.
“The Icepol ransomware,” explain the researchers, “adds itself to the Startup Registry key in order to ensure persistence after every reboot. As soon as the computer starts, the screen gets locked and displays a message in the user’s language, if the user is located in a country that speaks one of 25 languages. The message states that the computer got locked as suspicious activity (download of copyrighted material or of ‘illegal pornography’) was detected. Of course, the system can be unlocked by paying a ransom, euphemistically described as a ‘fine.'”
Victims paid out a total of 158,376 in currency, (thought to be US$), with over 32,000 from the US as a way to unlock their computers.
“The Romanian server is part of a large distribution system from malicious programs that may consist of dozens of similar servers,” mentioned BitDefender. “These are organized like a pyramid, with a number of partner servers connected to a C&C server, which is responsible for the distribution of malware. The unit of Romania communicated originally with a C&C server from the Netherlands.”
The seized host had two major functions which included delivering the Icepol ransomware, and to operate a pay-per-click fraud operations utilizing a traffic swap systems. “The criminal underworld apparently has malware distribution networks (MDN) that work very similar manner to legitimate CDNs, even down to transfer and syndication models for fundraising,” commented Catalin Cosoi, security strategist at Bitdefender.