Back to Home

Blockers of All Times / Kaspersky Lab Blog

Kaspersky Lab · Kaspersky · blocking · deblocker · blocker · malware

Blockers of all time

    In the fall of 2007, a new type of malware, ransomware, appeared on the Internet. This type of fraud went on the net before, but only in Russia did it get enormous popularity. The fertile soil has become the ease of receiving money from their victims. If at first rather exotic forms of payment were used (for example, VKonakte, Yandex Money, etc.), which ordinary users were not familiar with, then later scammers switched to simpler and more understandable methods: sending SMS-ok to short numbers and transferring money to phone numbers. The two most popular forms of payment are familiar even to people who rarely deal with computers. This fact, as well as simplicity and anonymity during registration of short numbers played a decisive role in the mass character that ransomware acquired.
    image

    The technical side of the ransomware also did not stand still. If initially these were very simple programs written “on the knee”, then after a few years, the blockers presented very technologically sophisticated products that contained protection against analysis, protection against detection, technology of network worms, encryption, etc. etc.

    The technologies with which scammers were going to demand money from users were also developed. If initially the system was completely blocked, and the user received information about a technical malfunction, then later more advanced social engineering technologies were used.
    Here are just a few of them:
    1) Partial locking of the system (for example, a window that is placed on top of others, in a third of the screen) - you can work with such a computer, but very uncomfortably;
    2) Demonstration of adult content - designed for children at daddy's computers;
    3) Demonstration of content containing perversion elements - designed for adults;
    etc.

    It is absolutely useless to pay scammers: sending an expensive SMS (or even several) does not guarantee that the victim will receive the promised unlock code. With the replenishment of the account through the payment terminal, the situation is no better - the receipt simply does not have the identification number referred to by the ransomware. By sending money, the user sponsors new developments, from which he himself subsequently suffers (according to our data, on average, users become infected more than 1 time).

    In our work, we constantly encounter ransomware programs and decided to create our own hit parade, highlighting, in our opinion, the most interesting of them in the following categories:

    The most inaccessible
    This blocker is unique in that it infected MBR. He did not gain much popularity. We can say that he was more of a concept.
    In May 2011, the second MBR blocker appeared, gaining more and more popularity.

    Verdict: Trojan-Ransom.Boot.Seftad
    Date of Appearance: November 2010
    Outbreak Date: did not cause an epidemic


    The most popular
    MOST MASSIVE, MOST PROFITABLE blocker of all time. In June 2010, new blockers of this family came out literally once an hour. The epidemic stopped only after members of this criminal group were detained by law enforcement agencies.

    Verdict:Trojan-Ransom.Win32.PinkBlocker
    Date of Appearance:November 2009
    Outbreak Date:August 2010


    The very first.
    The first blockers in Runet open spaces used exotic forms of payment, little known to housewives and unpretentious design (no naked female and male body). But it was with them that it all began.

    Verdict:Trojan-Ransom.Win32.BlueScreen
    Date of Appearance:fall 2007
    Outbreak Date:fall 2008


    The most beautiful

    Verdict:Trojan-Ransom.Win32.Gimemo
    Date of Appearance:March 2011
    Outbreak Date:did not cause an epidemic


    Animation
    Blocker, using an animated gif c mamma (lat.) As an image, making oscillating movements. As a payment, the blocker asked to send an SMS to one of the short numbers, among which there were both Russian, and Ukrainian, Kazakhstan, Lithuanian and German.

    Verdict:Trojan-Ransom.Win32.XBlocker
    Date of Appearance:December 2009
    Outbreak Date:February 2010


    The first non-Russian
    This blocker, which caused the first major epidemic of blockers in Runet, came from Ukraine. Initially, SMS was received as a payment to a Ukrainian number.
    A characteristic feature of the blockers from this family was the demonstration of the license agreement (!!!) at the first start of the blocker, in which it was reported that the user's computer would be blocked. But who reads these conventions?
    In subsequent versions of the blocker, the license agreement, although it was demonstrated, was closed quite quickly, and the blocker began the installation regardless of the user's actions, whether he agreed to the conditions or not.

    Verdict:Trojan-Ransom.Win32.Digitala
    Date of Appearance:October 2009
    Outbreak Date:December 2010


    The most harmless
    This "blocker" blocker as such is not. Fraudsters specifically create sites that pretend to be adult sites and place JavaScript code in them that displays the image below in the browser. After the site is created, it is distributed through the banner system. To combat this type of fraud, it’s enough to simply close the browser and not go to this site in the future, but many users are scared, believe that their machine has been infected, and are in a hurry to pay money to ransomware.

    Verdict:Trojan-Ransom.JS.Smser
    Date of Appearance:summer 2010
    Outbreak Date:by current time


    The most creative
    The first years of the development of blockers, the authors approached their creation with a soul. I came across very funny, funny and touching blockers. And only a few years later, the blockers began to rivet like pies - quickly and quickly, in order to manage to bring down the detections of antivirus products.

    Verdict:Trojan-Ransom.Win32.ImBlocker
    Date of Appearance:summer 2008
    Outbreak Date:did not cause an epidemic


    The most greedy.
    Since there was an upper price limit on the cost of SMS (500-600 rub.), Some blockers began to ask to send 2 each, and very greedy - 3 SMS each.

    Verdict:Trojan-Ransom.Win32.PinkBlocker
    Date of Appearance:spring 2010
    Outbreak Date:August 2010


    The most arrogant
    Feature of this blocker in the big names with which it is covered.

    Verdict:Trojan-Ransom.Win32.ZoBlocker
    Date of Appearance:N / a
    Outbreak Date:N / a


    The most honest
    This blocker is interesting in that, unlike its colleagues, it honestly declares that it is a blocker.

    Verdict:Trojan-Ransom.Win32.Honest
    Date of Appearance:N / a
    Outbreak Date:did not cause an epidemic


    The longest-running
    This blocker is unique in that it uses a subscription system to enrich its authors. Instead of requiring sending an SMS or transferring money to an account, this blocker requires you to send your phone number. An SMS with a deactivation code arrives on the phone.
    All these harmless actions have one goal - to register the user on the so-called subscription. Entering the deactivation code into the blocker, the user thereby agrees to the subscription conditions (which, of course, no one showed him). After subscribing, the user begins to regularly withdraw money from the user's phone (for example, every 3 days for 150 rubles). This method works until the user unsubscribes or within a certain time (for example, a week) there are no funds on the phone.

    Verdict:Trojan-Ransom.Win32.Holotron
    Date of Appearance:February 2011
    Outbreak Date:did not cause an epidemic


    The most brutal
    This blocker is characterized by the display of homosexuals.
    Its second “remarkable” feature is deactivation codes - this is not a meaningless character set, but codes from the game (for example, IDDQD), game characters (KERRIGAN IS SO SEXY), authors of favorite works (FRANK HERBERT), etc.

    Verdict:Trojan-Ransom.Win32.HmBlocker
    Date of Appearance:November 2010
    Outbreak Date:March 2011


    The most detailed ("blonde")
    This blocker can be called the most detailed in the field of instructions for its deactivation. Since this program does not use SMS as a form of payment, but uses the more exotic Vkontakte scheme, which is relatively familiar with a relatively small number of users, it provided infected users with very detailed step-by-step instructions on how to transfer money to scammers.

    Verdict:Trojan-Ransom.Win32.GiviBlocker
    Date of Appearance:November 2010
    Outbreak Date:did not cause an epidemic


    The most “Kaspersky"
    This blocker impersonates a certain, really non-existent Kaspersky Lab product, Kaspersky Lab Antivirus Online. At one time, it was very popular and literally caused a flurry of letters to the company with the text "Do you really get little money, why do you need this program too." In general, this blocker spoiled a lot of blood for both shift analysts and the PR department.

    Verdict:Trojan-Ransom.Win32.Chameleon
    Date of Appearance:N / a
    Outbreak Date:N / a


    Total:
    In the trend, as you can see, the development of social engineering techniques, but the technical idea does not stand still. In any case, we decided that it would be more reliable to prevent blocking than to treat an already infected computer. And if until now we could offer you only the free utility support.kaspersky.ru/viruses/deblocker , now we are finishing work on a new tool, which we will present in one of the following posts. Ivan Tatarinov, Senior Virus Analyst, Kaspersky Lab

    Read Next