You rarely root for online criminals, but a new malware campaign targeting child exploiters does not make you feel awful about the victims.
Since 2012, threat actors have developed a range of malware and ransomware that impersonate government agencies and earn affected Windows users that they are seeing CSAM. The software informs users that they must pay a "penalty" to keep their information from being transferred to law enforcement.
One of the first "modern" ransomware operations, known as Anti-Child Porn Spam Protection or ACCDFISA, used this extortion strategy in conjunction with initially locking Windows systems and eventually encrypting files.
Similar extortion techniques were used by cybersecurity researcher MalwareHunterTeam to share an executable malware sample named "CryptVPN" [VirusTotal] with BleepingComputer last week.
This time, though, the malware creator is going after people who actively seek child pornography rather than innocent people.
Security specialists investigated the malware and discovered that threat actors posed as UsenetClub, a subscription service that allows users to download films and images from Usenet with "uncensored" access.
Usenet is an online discussion platform that allows users to discuss different topics in "newsgroups" to which they have subscribed. While Usenet is used for valid discussion of a variety of topics, it is also a notorious source of child pornography.
Threat actors designed a fraudulent site pretending to be UsenetClub and offered three subscription tiers for the site's content. The first two were paid subscriptions, ranging from $69.99 per month to $279.99 annually.
However, a third option claimed to allow free access if you install and employ the free "CryptVPN" software to access the site.
Clicking the "Download & Install" button will download a CryptVPN.zip file from the website, which when unpacked will contain a Windows shortcut called "CLICK-HERE-TO-INSTALL".
This file is a shortcut to the PowerShell.exe executable that downloads and saves the CryptVPN.exe executable to C:\Windows\Tasks.exe before executing it.
The malware executable is packaged with UPX, however when unpacked, it contains a PDB string indicating that the creator titled the malware "PedoRansom".
The malware does nothing uncharacteristic except change the target's wallpaper to an extortion demand and drop a ransom note named README.TXT on the desktop, which includes similar extortion demands.
"You were searching for child exploitation and/or child sexual abuse material. You were stupid enough to get hacked," reads the extortion demand. "We have collected all your information, now you must pay us a ransom or your life is over.”
The extortion goes on to say that the victim must pay $500 to the bc1q4zfspf0s2gfmuu8h5k0679sxgxjkd7aj5e6qyl Bitcoin address within ten days or their identity will be leaked.
Currently, this bitcoin address has only received roughly $86 in payments.
Threat actors have long used "sextortion" strategies, such as sending bulk emails to a large number of people in an attempt to scare them into paying an extortion demand.
These approaches worked very well at first, with spammers extorting more than $50,000 per week during the early operations. However, as time passes and the victims of these frauds become more aware, sextortion operations no longer yield the same money.
While this strategy is more innovative and will scare many individuals looking for this type of stuff, we doubt many people will pay the extortion demand.