Council of Europe Ransomware Blocks Users from Accessing the Internet


Linkup ransomware prevents users from accessing the Web

Security researchers from Emsisoft have come across an interesting piece of ransomware which they’ve dubbed Linkup (Trojan-Ransom.Win32.Linkup). While other such Trojans lock up computers or encrypt the files stored on them, Linkup prevents users from accessing the Web.

When the owners of infected devices want to visit a website, they’re presented with a message that appears to come from the Council of Europe.

“Internet access is temporarily blocked,” reads the message on the screen. Victims are told to provide their personal and financial information to establish their identities.

Internauts are informed that they only have to pay €0.01 to unlock Internet usage, but experts believe that the amount that victims end up paying is much higher.

So how does this threat block Internet access?

According to researchers, when it’s first executed, Linkup disables Windows security features and the operating system’s firewall, and makes a copy of itself under the name svchost.exe. Then, the malware contacts its command and control server.

Linkup receives a command to redirect all HTTP requests to the ransomware website. It makes a number of modifications in the registries to ensure that every DNS request is redirected.

However, Linkup is not designed only to block Internet access. Once it infects a computer, the threat downloads an additional component that’s actually a Bitcoin miner.

Devices infected with the malware actually become part of a Bitcoin mining botnet.

In case your computer is infected with Linkup, here’s what you need to do to clean it up. First of all, scan your device with an updated antivirus software (Emsisoft recommends Malwarebytes Anti-Malware).

Then you need to set DNS settings to “obtain DNS server address automatically.” The malware sets the primary DNS server to 127.0.0.1.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s