Ransomware demands additional payment to delete ‘criminal records’

Back in July 2013, we had discovered a new method of spreading the infamous FBI ransomware by using JavaScript code and iframes to create an illusion that the victim’s browser was locked.

After several months, the threat is still very much alive hopping from one domain name to the next. The message is still the same and along these lines: “you have been downloading copyrighted material or pornographic images and you could go to jail… unless you pay the fine”.

But here’s a new twist being added: not only do you have to pay the first ransom to unlock your browser (USD$300) but a second screen comes up after with a processing fee (USD$ 450) to delete all criminal records.

The page shows a picture of your “criminal records” being burned. The bad guys are clear that you must use a different voucher to pay that second fee:

“IMPORTANT: Entering the same MoneyPak code that was used at previous step will not delete your criminal records from FBI base. If you want to delete all criminal records you need to enter another $450 Moneypak code.”

In other words, some victims may fork up to USD$750 in this latest ransomware scheme.

In some cases such as the UK, the payment is split in two (perhaps to avoid suspicion):

All other countries have similar pages:

This slideshow requires JavaScript.

This new trend shows that Ransomware is an effective business model for cyber-criminals who are not afraid about demanding more and more from their victims.

Jerome Segura (@jeromesegura) is a senior security researcher at Malwarebytes.