2013-02-09 - Evolution
Urausy: Colorfull design refresh (+HR) & EC3 Logo
 |
| One of the images in Urausy Design |
First spotted by Tachion (VT Profile) from Safegroup.pl and soon after seen by Malekal (VT Profile), Urausy is now showing its new clothes. New (to me) targeted country : Croatia (HR)
 |
| Urausy colorfull refresh in one image (missing here : BE, BO, EC, MT, MX, UY) |
We can notice the logo of the newly created EC3 (European Cybercrime Center)
There is no default country anymore. If your country is not targeted your computer won't be locked.
(more if it's locked, it will be unlock if computer is started with internet in a country not targeted)
They are still using targeted Antivirus logos.
You'll have Windows Logo if you have no antivirus otherwise you'll get the logo of your antivirus.
 |
| Antivirus or Windows logo placeholder |
 |
| List of logos Urausy can use depending on products installed on your computer (stored in %temp% of infected computer) |
Australia :
 |
| Urausy AU 2013-02 |
 |
| Urausy AT 2013-02 |
 |
| Urausy BE 2013-03 |
Canada :
 |
| Urausy CA 2013-02 |
 |
| Urausy HR 2013-02 |
 |
| Urausy CY 2013-02 |
 |
| Urausy CZ 2013-02 |
 |
| Urausy DK 2013-02 |
 |
| Urausy FI 2013-02 |
 |
| Urausy FR 2013-02 |
 |
| Urausy DE 2013-02 |
 |
| Urausy GR 2013-02 |
 |
| Urausy HU 2013-02 |
Italy :
 |
| Urausy IT 2013-02 |
 |
| Urausy IE 2013-02 |
 |
| Urausy LV 2013-02 |
 |
| Urausy LU 2013-02 |
<edit2 2013-03-11>
Malte :
 |
| Urausy MT 2013-03 |
</edit2>
Netherlands:
 |
| Urausy NL 2013-02 |
 |
| Urausy NO 2013-02 |
 |
| Urausy PL 2013-02 |
 |
| Urausy PT 2013-02 |
 |
| Urausy RO 2013-02 |
Slovakia :
 |
| Urausy SK 2013-03 |
Slovenia :
 |
| Urausy SI 2013-02 |
Spain :
 |
| Urausy ES 2013-02 |
 |
| Urausy SE 2013-02 |
 |
| Urausy CH 2013-02 |
 |
| Urausy TR 2013-02 |
United Kingdom :
 |
| Urausy UK 2013-02 |
 |
| Urausy US 2013-02 |
Uruguay :
 |
| Urausy UY 2013-03 |
</edit3>
I have the feeling that the team behind Urausy is also behind the Exploit Kit that Emerging Threats name Sibhost (or if there are two teams they are really tied).
 |
| Sibhost login Screen |
 |
| One Sibhost pushing Urausy 2013-01-27 |
 |
| Sibhost pushing Urausy 2013-02-09 |
Sibhost was pushing Reveton only. When Urausy emerges it was on Sibhost only, showing bought/stolen design of Reveton. Only Urausy on Sibhost since then (but Urausy is now also pushed on many other exploit kits and in some botnets).
This feeling has been reenforced few days ago when i discovered that Urausy C&C redirectors were also Sibhost redirectors.
<edit1 22/02/13>
Dmitry Bestuzhev (Kaspersky) pointed to me a tweet from Julio Rodriguez
 |
| First mention about an Ecuador ransomware design |
allowing me to gather new design in South America
Ecuador :
 |
| Urausy EC 2013-02 (1rst one to target this country afaik) |
 |
| Urausy BO 2013-02 (1rst one to target this country afaik) |
 |
| Urausy MX 2013-02 (Second one to target this country after what we called Raxm) |
 |
| Urausy AR 2013-02 (Second one to target this country after what we called Raxm) |
 |
| Urausy NZ 2013-02 (1rst one to target this country afaik) |
Read more :
Urausy page on botnets.fr (you'll find all known design there)
Don’t Pay Up – How To Beat Ransomware! - 2013-04-05 - MakeUsOf - Guy McDowell
Urausy has big plan for Europe - Targeting 3 new countries among which Norway ! 2012-09-22
Urausy improving its localization - A (the?) Gaelic Ransomware with Interpol impersonation as default landing 2012-09-15
Post Publication Reading :
The missing link - Some lights on "Urausy" affiliate 2013-05-29
Files : (samples + 4 fiddlers of Urausy Drop (2x Sibhost, 1NP, 1WH) ) (Owncloud)