The Stack Archive

‘Breaking Bad’ crypto ransomware targets Australian users

Mon 11 May 2015

Symantec researchers have uncovered a new iteration of the Trojan.Cryptolocker.S ransomware which – probably least to the amusement of the victim – themes itself around the hugely popular U.S. crime drama show Breaking Bad.

The traditional ransom message in the package, revealed to users after the malware has encrypted all the important files it can evaluate, features the ‘Los Pollos Hermanos’ logo which brands the fried chicken chain used by drug-lord Gustavo Fring to launder his nationwide crystal meth manufacturing operation.

Additionally part of the anonymous email address supplied in the instructions on how to pay the ransomware authors features the phrase “I am the one who knocks”, a sinister utterance by lead character and ace meth cook Walter White (played by Bryan Cranston – see video at bottom). Additionally the ransomware also opens a background YouTube video featuring a song from a radio station in the popular videogame Grand Theft Auto V – thought by certain Breaking Bad fans to be a tribute to the show.

Pollos Hermanos ransomware

The Breaking Bad strain is currently targeting users in Australia, and encrypts videos, documents, images and other files, providing the key via anonymous means once the victim has handed over $1000 Australian dollars (£510 / $791).

Symantec reports their understanding that this latest Trojan.Cryptolocker.S iteration ends up on users’ machines via social engineering, and say that the first point of infection is a zip archive containing the malicious VBC.Downloader.Trojan, entitled – in this case – PENALTY.VBS. The file decompresses to a non-malicious PDF in order to convince the victim that the unzipping operation was harmless, whereas it has actually unleashed the crypto ransomware upon the unwilling victim.

This particular ransomware set-up appears to have derived techniques which use elements of an open-source, white-hat penetration-testing project employing Microsoft PowerShell modules. The attack runs a PowerShell script to complete the encryption process, which employs the use of an Advanced Encryption Standard (AES) key encrypted with an RSA public key. This means that the victim can only unlock their files with a key provided by the cyber-extortionists.


Asia cybercrime news
Send us a correction about this article Send us a news tip