Security researchers from Emsisoft have come across an interesting piece of ransomware which they’ve dubbed Linkup (Trojan-Ransom.Win32.Linkup). While other such Trojans lock up computers or encrypt the files stored on them, Linkup prevents users from accessing the Web.
When the owners of infected devices want to visit a website, they’re presented with a message that appears to come from the Council of Europe.
“Internet access is temporarily blocked,” reads the message on the screen. Victims are told to provide their personal and financial information to establish their identities.
Internauts are informed that they only have to pay €0.01 to unlock Internet usage, but experts believe that the amount that victims end up paying is much higher.
So how does this threat block Internet access?
According to researchers, when it’s first executed, Linkup disables Windows security features and the operating system’s firewall, and makes a copy of itself under the name svchost.exe. Then, the malware contacts its command and control server.
Linkup receives a command to redirect all HTTP requests to the ransomware website. It makes a number of modifications in the registries to ensure that every DNS request is redirected.
However, Linkup is not designed only to block Internet access. Once it infects a computer, the threat downloads an additional component that’s actually a Bitcoin miner.
Devices infected with the malware actually become part of a Bitcoin mining botnet.
In case your computer is infected with Linkup, here’s what you need to do to clean it up. First of all, scan your device with an updated antivirus software (Emsisoft recommends Malwarebytes Anti-Malware).
Then you need to set DNS settings to “obtain DNS server address automatically.” The malware sets the primary DNS server to 127.0.0.1.