2013-04-06 - Geo-Focus

Urausy Ransomware - Arab world targeted

Urausy is now targeting Middle East with cashU as payment system.
It seems that Reveton could disappear as the almost only distributor ( /world/ Cool EK) has switched to Urausy since 2013-04-04 (after few days of a Reveton stealing Urausy Design)
<edit 2013-04-08> Reveton back on Cool EK /World/ </edit>
I've seen Urausy pushed in almost all known Exploit Kits : Sibhost (as i explained, the C&C architecture of Urausy is shared with this Exploit Kit), Cool EK, Sweet Orange, RedDot v2, Blackhole, Neutrino....). It's everywhere.

Here are the Middle East design I was able to gather...

United Arab Emirates
Urausy AE 2013-04
(second one after Ransom.EY)
Urausy LB 2013-04
First in that country

Palestinian Territory
Urausy PS 2013-04

 Saudi Arabia
Urausy SA 2013-04
First in that country
<edit1 2013-04-16>
Urausy JO 2013-04
First in that country

Urausy MA 2013-04
First in this country
<edit2 2013-04-19>
This tweet has been brought to my attention :
Qatar :
@MOI_Qatar warning about Urausy Ransomware striking in Qatar


I will update this post if other Middle-East design are found.
Would be nice if anyone can help with Kuwait, Bahrain and Qatar

C&C Redirectors right now (2013-04-06) :
otcdj.net -
pqfmp.com -

Files :
Urausy_from_CoolEK_2013-04-06.zip (OwnCloud via Goo.gl)

Read More :
Urausy page on Botnets.fr
Don’t Pay Up – How To Beat Ransomware! - 2013-04-05 - MakeUsOf - Guy McDowell
Urausy: Colorfull design refresh (+HR) & EC3 Logo 2013-02-09 (+ edits)
Urausy has big plan for Europe - Targeting 3 new countries among which Norway 2012-09-22
Urausy improving its localization - A (the?) Gaelic Ransomware with Interpol impersonation as default landing 2012-09-13

Post publication Reading :
The missing link - Some lights on "Urausy" affiliate 2013-05-29