Blackmailware: Be Careful What You Click
HUNTINGTON STATION, N.Y. – According to the tech support self-help site BleepingComputer.com, there’s a new piece of malware being distributed by porn sites which falls in to the blackmailware category.
BleepingComputer owner Lawrence Abrams wrote that the blackmailware was “first discovered from a post on Reddit where the author stated that they downloaded a file from a porn site named Xvideos.”
“Once ran, it created a ransom note, but did not encrypt any files,” Abrams noted of the infection he has dubbed “PornBlackmailer,” which uses a .scr extension to fool users into believing it’s a Windows screensaver.
Unlike ransomware exploits which lock down a user’s data, then demands payment to unlock the files, the PornBlackmailer attack creates a folder on the targeted device, then stores in the folder files with information concerning the user’s computer, location, browser history and screenshots of the user’s active desktop.
“First it will compile information such as your computer name, account name, computer info, and geographic location based on your IP address and network adapter’s MAC address,” Abrams found. “This information is saved in the your_information.txt file. If it is able to get your geographic region, it will connect to a variety of sites in order to create an image of your location via Google Maps. This information is saved in your_location.jpg. It then creates copies of your browser cookie files and saves it in the browser-cookies folder.”
PornBlackmailer then generates four screenshots of the active desktop, covering about a 10 second period. Abrams speculated the malware author likely assumed at this point the user is “still on the porn sites, can catch you in the act, and use the potentially compromising screenshots as further leverage to get the victim to pay.”
The real kicker, however, is the message the malware leaves in multiple READ_ME.txt files on the user’s desktop, which claim the user was “caught in the act of watching and spreading child pornography,” along with a threat to forward the user’s information to law enforcement, unless the user meets the blackmailer’s payment demands.
“All these data and complaints will be automatically forwarded to the special police departments (FBI, CIA, INTERPOL, MVD, FSB) exactly 24 hours after the current moment,” reads one example of such text files Abrams displayed in his post. “This will be enough to put you in jail for at least one year. Believe me, you are not the first.”
In the samples of PornBlackmailer Abrams tracked down, the payment demand is “0.01 BTC” (bitcoin), which amounts to around $110 at the current price of bitcoin as of 11:30am January 26. The text files generated also include a list of bitcoin addresses which have, purportedly at least, already been used to pay the demanded ransom.
While a relatively low sum, Abrams noted the payment demanded “does show that this can be effective and efficient way for a criminal to generate revenue.”
Abrams also observed that, unlike with a lot of ransomware, blackmailware like PornBlackmailer involves very little interaction between the attacker and the target.
“With traditional ransomware, a developer has to communicate with their victims, process payments, manage encryption keys, and manage Command & Control servers,” Abrams said. “Blackmailware, on the other hand, just has to paint a convincing enough picture that scares a victim into paying a small demand in order to keep the attacker’s mouth shut. Screenshots are especially effective as if they are compromising in any way, could be the tipping point between not making a payment and paying one.”