The malware analysis team at Emsisoft has uncoverd ransomware, called Linkup, that commandeers DNS servers that computers use to connect to the internet and can then mine for Bitcoins.
Emsisoft has identified the ransomware as a trojan variant in the wild, dubbed Trojan-Ransome.Win32.Linkup. Unlike other ransomware, Linkup doesn’t take aim at users’ computers, but rather blocks internet access, according to a Feb. 3 blog by Steve Nowicki on the Emsisoft website. Once Linkup infects users, they’re warned about possible child pornography on their computers and informed, purportedly by The Council of Europe, that they’re blocked from using the internet until they divulge personal information and pay EUR 0.01, a claim that Nowicki called “unconfirmed and most likely a blatant lie.”
Linkup does its dirty work by making a copy of itself under a fake name that appears to be a normal file on a user’s computer once it’s executed, and it then creates a mutex, named tnd990r or tnd990s. It then sends a POST request to its server to obtain information related to a user’s computer. Eventually, Linkup makes a number of changes in the Windows registry designed to redirect all DNS requests.
But Linkup doesn’t stop there. While users are stymied by the ransomware, Linkup tries to connect victim computers “to a Bitcoin mining botnet [Protominer], which can combine the computing power of multiple infected computers to earn new Bitcoins for whoever is behind the attack,”Nowicki noted in the blog. “The most important thing to understand about Bitcoin mining is that a hacker can get more computing power.”
As the digital currency grows more popular and valuable, Bitcoin-mining malware is on the rise, according to McAfee’s third quarter 2013 threat report.
Emsisoft warned users whose computers are infected with Linkup not to divulge personal information. Instead they should run an anti-malware program that recognizes Trojan-Ransom.Win32.Linkup.