U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Linkup , the ransomware that blocks Internet access and mines Bitcoin

Emsisoft has detected a new variant of malware dubbed Linkup (Trojan-Ransom.Win32.Linkup), it is ransomware that blocks Internet access and mines Bitcoin. Emsisoft has detected a new variant of malware dubbed Linkup (Trojan-Ransom.Win32.Linkup), it is ransomware presenting a singular behavior. Usually a ransomware locks victim’s computer or encrypts files requesting the payment of a ransom to unlock it, but […]

Linkup , the ransomware that blocks Internet access and mines Bitcoin

Emsisoft has detected a new variant of malware dubbed Linkup (Trojan-Ransom.Win32.Linkup), it is ransomware that blocks Internet access and mines Bitcoin.

Emsisoft has detected a new variant of malware dubbed Linkup (Trojan-Ransom.Win32.Linkup), it is ransomware presenting a singular behavior. Usually a ransomware locks victim’s computer or encrypts files requesting the payment of a ransom to unlock it, but Linkup blocks the Internet access by modifying the DNS settings and includes the ability to mine Bitcoin.

Once Linkup has infected the system, it replicated itself and disables the Windows Security and Firewall services to advantage the infection process. The malware changes the DNS setting, the poisoned DNS servers will allow the access to the Internet only to the malicious code, blocking any other connection.

“Once the Linkup Trojan has been executed, it makes a copy of itself in the%AppData%\Microsoft\Windows directory named svchost.exe, a fake name meant to mimic a normal file on your computer, which is located in %windir%\system32.  To mark its presence in the system, Linkup creates a mutex named tnd990r or tnd990s. We have also found that Linkup will actually disable selected Windows Security and Firewall services to facilitate infection.” states the official post.” To redirect every single DNS request, Linkup also makes several changes in the Windows registry, including modifying the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%interfaceGUID%
  • "NameServer" = "127.0.0.1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%interfaceGUID%
  • "DhcpNameServer" = "127.0.0.1"

As usual the ransomware adopts social engineering tactics to deceive the victims and persuade them to pay the ransom, Linkup displays a bogus notification supposed to be from the Council of Europe on the victim’s PC, that accuses victim of viewing “Child Pornography” contents and requesting for the payment of a 0.01 Euro to unlock Internet access. Another concerning fact is that Linkup ransomware  allow the payments by credit card, requesting for the operation also user’s personal information. In time I’m writing it is not confirmed the malware restore the Internet connection after the payment of the requested amount of money,

 

Linkup ransomware locker-page

The malware blocks the Internet access allowing only the download of a component that allow the machine to join a Bitcoin mining botnet.

This combination of ransomware and Bitcoin mining is a new and fascinating development. At this point, however, its functionality is still quite limited as the downloaded jhProtominer only works on 64-bit operating systems. In time, it will be interesting to see if Linkup is modified to download more flexible variants.

Of course, if you have been infected, don’t pay the ransom!

Pierluigi Paganini

(Security Affairs –  Linkup ransomware, malware)