2013-04-06 - Geo-Focus
Urausy Ransomware - Arab world targeted
Urausy is now targeting Middle East with cashU as payment system.
It seems that Reveton could disappear as the almost only distributor ( /world/ Cool EK) has switched to Urausy since 2013-04-04 (after few days of a Reveton stealing Urausy Design)
<edit 2013-04-08> Reveton back on Cool EK /World/ </edit>
I've seen Urausy pushed in almost all known Exploit Kits : Sibhost (as i explained, the C&C architecture of Urausy is shared with this Exploit Kit), Cool EK, Sweet Orange, RedDot v2, Blackhole, Neutrino....). It's everywhere.
Here are the Middle East design I was able to gather...
United Arab Emirates
Urausy AE 2013-04 (second one after Ransom.EY) |
Urausy LB 2013-04 First in that country |
Palestinian Territory
Urausy PS 2013-04 |
Saudi Arabia
Urausy SA 2013-04 First in that country |
Jordan
Urausy JO 2013-04 First in that country |
Urausy MA 2013-04 First in this country |
<edit2 2013-04-19>
This tweet has been brought to my attention :
Qatar :
@MOI_Qatar warning about Urausy Ransomware striking in Qatar |
</edit2>
I will update this post if other Middle-East design are found.
Would be nice if anyone can help with Kuwait, Bahrain and Qatar
C&C Redirectors right now (2013-04-06) :
otcdj.net - 5.133.179.179
pqfmp.com - 91.221.99.26
Files :
Urausy_from_CoolEK_2013-04-06.zip (OwnCloud via Goo.gl)
containing
6bb3f80a10a26cb6b9f7e33fc006f9a0
caf63b1aa24e4fdf9ece76593f27d3ca
abfe5dd5511535380c57e7ccacaa9454
Read More :
Urausy page on Botnets.fr
Don’t Pay Up – How To Beat Ransomware! - 2013-04-05 - MakeUsOf - Guy McDowell
Urausy: Colorfull design refresh (+HR) & EC3 Logo 2013-02-09 (+ edits)
Urausy has big plan for Europe - Targeting 3 new countries among which Norway 2012-09-22
Urausy improving its localization - A (the?) Gaelic Ransomware with Interpol impersonation as default landing 2012-09-13
Post publication Reading :
The missing link - Some lights on "Urausy" affiliate 2013-05-29