2012-09-15 - Evolution

Urausy improving its localization - A (the?) Gaelic Ransomware with Interpol impersonation as default landing

Urausy first appear at the end of July. It was just another Reveton "Me too" with a yellow square filled with a # instead of the "Camera" and targetting few countries :  DE, ES, FR, UK, US (PT? see at the end)

Based on what i was able to see of the distribution, I had the feeling at that time, that it was a Reveton distributor trying to run his own business.

Highlighted design of Urausy for US as of July/August
showing how you could visually distinguish it from Reveton
Few weeks ago Malekal spotted that the French design had the yellow square filled by hands cuffed going out of the screen of a laptop
At same time new country were being targeted : AT and CA 
Piece of the French Urausy Design with the yellow square
filled with the image of the hands cuffed

Yesterday Tachion from Safegroup.pl pointed me a new Design for Poland.
Screenshot I made for Botnets.fr of the
new Polish Design for Urausy spotted by Tachion
So I decided to make a small trip accross Europe..and know that Urausy is now targetting (at least)
BE, CH, FI, IE (the ? 'Gaelic Ransomware' ), LU, SE and all other countries (RU, UA included) with an Interpol Design (for PT see at the end)

Urausy default Design (09-2012) impersonating Interpol


Here are those design (you will find all known design on Urausy page of botnets.fr)

Urausy LU (09-2012)
Urausy FI (09-2012)
Urausy CH (09-2012)
Urausy BE (09-2012)
Urausy SE (09-2012)
And...Tada !! (yes. Overreaction, but As a "Ransom Art" lover I spent a full evening hunting it, when it was announced...without success. Note that Urausy has been tested and was showing the FBI Design, hence the "?" when i wrote the (?) Gaelic Ransomware)
Urausy IE (09-2012) The (?) Gaelic Ransomware
One Md5 : 58c5971869a315f12f319232d1f84f87

Note1 : Have trouble getting IP in Portugal. If anyone think he can help me catching new PT design for Urausy and Reveton drop a comment or contact me on twitter. Would be really appreciated.

Note2 : If you catch or hear about a Ransom Design that you can't find on Botnets.fr contact us via IRC or twitter. We are always happy to improve our collection.

<edit1 28/09/12>Tobfy now showing sames clothes than Urausy (See botnets.fr/index.php/Tobfy ) </edit1>

Post publication Reading :
The missing link - Some lights on "Urausy" affiliate 2013-05-29