2013-02-08 - Geo-Focus

Cbeplay.P targets US and AT, now talks to UK Citizens

The second group (after Reveton distributors) to have subscribe for Cool EK is pushing a ransomware that i refer to (using name attached to it by Microsoft) CBeplay.P
There are some move lately but I can't tell how fresh is this as they are not that easy to monitor.

They are now targeting US :

CBeplay.P US (2013-02)

AT :

CBeplay.P AT (2013-02)
And they are now talking to UK citizens repeating every 35 seconds : "Attention illegal Activity has been detected on your computer"

Appeared in middle of August 2012, the binary is localized. The user interface is embedded in the binary.
One sample for one country.

How do they target ? this is done by TDS (want to know more about TDS look here) in front of the Exploit Kit that will redirect you to the appropriate landings depending on where you are coming from.
(I wonder how they manage distribution of the correct payload for CVE-2011-0432 and CVE-2012-1889  on Cool EK...I feel like it's kind of random )

Readings :
Joe Sandbox analysis of ES payload from 2013-01-10
Botnets.fr CBeplay.P page (with all known landings)
Reveton can speak now ! 2012-11-23
Don’t Pay Up – How To Beat Ransomware! - 2013-04-05 - MakeUsOf - Guy McDowell

Files :
The video :
http://goo.gl/AjpSL (Mega) (you can use it, just mention where it come from)
http://goo.gl/52Zdu (Owncloud)

Samples & Fiddler (Cbeplay.P Cool EK and the new xored payload) :
http://goo.gl/cbqtN (Owncloud)

I do not know if there are User interface for all countries.

ES : 5e92fc879142ca7ebdada8ad9bc8c6e55b0ae7b69cbdc392edddd15fdc9d8ee8
NL : 30fd781b2a9b87410917785f1915b030 - 4e2bb5943c28604180a089e54b5e7d03
UK : 038bd0b7553184b10cb9a603effe7cde
AT : 5ff2887727b00584cdab99fafb4dc969
US : a22542163ef2f88bc11c483009d592da

No User interface or just me not able to get it :
1dbd8612b6042c468336eefaed9c21fc (FR)