This time will be analyzed the Trojan Kit MULTI LOCKER Version 3
The user's computer is compromised by visiting the infection vector:
It downloads the malicious binary:
The IP 126.96.36.199 is hosted at the ISP Clodo-Cloud in Russia.
Once the computer is infected, Ransomware Malware modifies the whole system configuration and registry so that each time the user restarts the computer, trojan automatically takes over control blocking full system. Besides virus presents a false screen display of police asking user to pay the fine for allegedly viewed child pornography or illegal contents against intellectual property
This fake police screen is downloaded from the fraudulent server at address:
This script checks the language version at user's browser to display the fake police screen in the local country language of the user with relevant legal notices with warnings from the police of that country.
The code script of "tds.php" is show as follows:
In the case of Spanish users would display the following fraudulent screen hosted at:
In this example, the screen is very poorly designed unlike other kits detected most detailed enough to trick the user making the veracity of it.
Criminals can modify these fake warning pages to achieve the appearance of legality accessing the mini editor that exists in the kit Ramsomware, also called by some antivirus companies as Ransomlock.
The panel is called MULTI LOCKER LENDING EDITOR and is accessed via the URL:
And file structure of the LENDING KIT is:
If user pays the fee through the online payment systems UKASH, MoneyPack, etc .his Machine will be free once entered the code returned by these payment systems
Ransomware statistical panel is accessed through the main login page:
Panel with statistical tracking of infected users
menu of users who have paid for unlocking their computers
The KIT file structure is as follows: