Unprecedented aggressiveness and accurate identification of the victim’s profile details are some of the features that make screen lockers a serious challenge to the IT security community. The Polizia di Stato ransomware demonstrates such a targeted technique, assaulting computer users in Italy and pretending to originate from the local law enforcement agency. Whereas this ransomware has been around for more than a year, its proliferation in the past few months poses an increasing concern.
Also referred to as the Polizia Penitenziaria or Polizia Postale ransomware, this infection blocks regular access to the Windows operating system, displaying a lock screen right after computer startup. The screen contains allegations about prohibited content being stored on the PC, mostly illegal adult videos or images, as well as the purported distribution of copyright protected files by the user. This is beyond doubt a social engineering technique intended to intimidate the user through inexistent accusations. The virus tries to appear more trustworthy to those affected by including details like geolocation, operating system version, IP address, ISP name, and even displaying live video from the webcam.
To evade fictitious prosecution for these framed up violations, the victim is suggested to pay 100 EUR as a settlement. This “fine” is supposed to be submitted via prepaid services such as Ukash or paysafecard, which makes it problematic for the police forces to conduct attribution and track the cyber fraudsters down.
The Polizia ransomware is powered by the notorious Reveton Trojan. This malicious code gets distributed through the use of exploit kits, most likely the one called BlackHole in this case. These are technically complex tools that take advantage of vulnerabilities in outdated software and plugins to stealthily deliver virus payloads. Just for the record, Java along with Flash and Adobe Reader are typically the weakest links most widely exploited to compromise computers on a large scale.
Interestingly enough, the BlackHole exploit kit can be purchased on underground hacking forums where it’s promoted on a malware-as-a-service basis, with customer support and maintenance options included. As per investigative research, this particular kit goes with a web dashboard providing in-depth statistics by country, OS version, web browser and types of software exploited.
It’s strongly suggested to get rid of the Polizia di Stato infection rather than pay the extorted ransom for regaining access to the hijacked computer. The cleaning job can be done with an antivirus suite launched in Safe Mode with Networking or via System Restore. In terms of prevention, getting security flaws patched on time is the tip of the day.