Ransomware in Irish part of global cyber-extortion attack

In recent weeks reports have been coming in, of ransomware appearing on some infected Irish computers. It uses (poorly translated) Irish language in a message that claims the user’s computer has been locked – either by Garda or by some government agency – for some alleged illegal activity, such as downloading illegal content or distributing malware, and can only be unlocked if a €100 fine is paid within 72 hours via some convenient online payment service.

The ransomware “as Gaeilge” in this case is just a variety of several localisations by the cybercriminals, as the same content also targeted computer users in UK, Holland, Poland, Spain, France, Belgium, etc. adapting the language to the locations of the victims. (In one case the scammers even made a mistake and mixed up the Irish .IE and Iranian .IR domains, which resulted in Irish computers displaying Iranian text.)

This is of course all fake, as no official institutions would use such methods for fining offenders, but several of these messages are accompanied by the Garda logo or an Irish flag, to make them appear legitimate. The malware will usually not “unlock” an infected computer even if the victim sends money to the required address, and the computer will remain infected until it is properly cleaned by an expert.

Should they get infected by this or similar extortion scam malware, the Irish computer users are therefore advised to:

  • NOT transfer ANY funds to the scammers
  • NOT attempt to remove the infection with “removal tools” a web search may offer, as many of those are themselves malicious and often infected
  • have a professional clean their computer with legitimate virus-removal software

ESET users are protected form infection with this particular malware, as ESET recognises it as a variant of Win32/Kryptik.ALXA and prevents its installation.

3 thoughts on “Ransomware in Irish part of global cyber-extortion attack

  1. The English version of this happened to my brother while he was in London about a year ago. He must have been visiting some dodgy sites for him to get it, as I’ve never come across anything like that, even when I was in the hacking scene. Then again he uses Bearshare and Limewire to get most of his music, which is effectively a walking Trojan Horse of malware. I’d be curious of the origin of this, but it’s most likely to be Russia or Chinese, as these kinds of advanced scams usually originate in those countries. They’re some of the best hackers (with the Dutch and English of course).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s