Fake Adobe Flash Player Websites Distribute Ransomlock Ransomware

Some users might end up with click fraud components on their computers

  Beware of fake Adobe Flash Player websites
In many cases, cybercriminals distribute ransomware – the threats that lock your computer’s screen and hold it that way until you pay a “fine” (or clean your device with an antivirus) – via adult websites. However, they also use numerous other techniques to spread their creations.

In many cases, cybercriminals distribute ransomware – the threats that lock your computer’s screen and hold it that way until you pay a “fine” (or clean your device with an antivirus) – via adult websites. However, they also use numerous other techniques to spread their creations.

Symantec experts have come across fake Adobe Flash Player update websites that serve malware. Visually, the malicious websites are very well designed.

However, when users click on other links than the “Download now” button, they’re taken to the same malicious domain, instead of the legitimate Adobe site, as we’ve seen in other similar attacks.

When they visit the site, victims are presented with two options: download a file named “flash_player_updater.exe” or one called “update_flash_player.exe.”

The files are similar, but they exhibit different behaviors. They’re similar in the way that, when installed, they both start looking for passwords, FTP/telnet/SSH credentials, and SMTP, IMAP and POP3 credentials.

The first file, flash_player_updater.exe, installs ransomware, while update_flash_player.exe installs a component that enables the attacker to generate revenue via click fraud.

The ransomware in this case is detected by Symantec as Trojan.Ransomlock.Q. The victim is presented with a warning message from the FBI Cybercrime Division and urged to pay a fine in order to have the computer unlocked.

To make everything more convincing, the threat identifies the antivirus installed on the computer and displays its logo within the lock screen.

Users who choose to install the second file end up with a Trojan that downloads three files from a remote location. Once they’re installed, the malicious elements run silently in the background to perform click fraud.

Internauts are advised never to pay the ransom money demanded by the crooks, since there’s no guarantee that they will unlock the computer once the so-called fine is paid. Also, by giving in to their demands, it’s likely that you’ll be on the top of their target list for future operations.

Comments