Researchers have discovered a bizarre piece of Trojan ransomware which disables programs on infected PCs before demanding victims make an unaccountably small payment to a Ukrainian mobile phone network in return for an unlock code.
According to antimalware vendor Webroot, the Krotten ransom Trojan is one of the oddest pieces of malware of the year. Taking the path of least resistance, it eschews the complex encryption outlook taken by a range of ransomware programs in the past and simply sets out to interfere with the host PC in as many ways as possible.
It starts out by changing 40 registry keys for a number of Windows settings, adding expletive text in Russian to the internet Explorer title bar, disabling features such as the Windows Start bar, and blocks the ability to print or open files. It also stops most applications from running at all.
Any location in Windows that would normally display the current time now also displays a Russian language profanity. Rebooting the system will display the following text box in Russian, which Webroot helpfully translates in its blog on Krotten.
"In order to restore normal functionality of your computer without losing all the information! and saving money, send me an email to email@example.com, with the code for replenishing a Kyivstar account with 30 Grivna. In response within 24 hours you will get an email with a file to remove this program from your computer."
Grivna is the currency of the Ukraine and 30 Grivna is the equivalent of less than $4, a curiously small sum to demand. This, and the generally incompetent nature of some aspects of the malware, raises the possibility that it is more of a prank than a serious means of scamming people for money. The Trojan was, the researchers reckon, also written using a DIY malware kit called Sign 0f Misery (S0M).
Finishing off its strange design is a script that launches Explorer in order to display a web page showing Saddam Hussein's son, Uday Hussein, lying dead after a battle with US troops in Iraq in 2003. The Explorer window cannot then be closed because that setting has, of course, been disabled.
Webroot and other antivirus programs have been able to detect the core code underlying Krotten for some time (the malware has appeared in several versions), but potential victims should immediately ditch any idea of paying up the trifling sum in the event they are hit with it; it is unlikely that anything other than a full system reinstall will cure its trail of damage.