A new piece of malware is using the Anonymous name to extort money from its victims. This is surprising not only because ransomware typically uses claims of breaking the law and names law enforcement (such as the CIA or FBI) to scare victims, but also because this malware is unlikely to be supported by the hacktivist group.

For the uninitiated, ransomware is malware which restricts access to the computer it infects, spamming the user with prompts that demand a ransom paid for the restriction to be removed. Access is limited either by encryption, as in this case, or locking the system.

The Swiss security blog Abuse.ch first spotted the threat in question, and posted about it early this morning on Twitter:

As you can see in the screenshot, the ransomware tells the victim the following:

We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.

Tango down!

Your computer has been hacked by the Anonymous Hackers Group and locked for the moment. All files have been encrypted. You need to pay a ransom of £100 within 24 hours to restore the computer back to normal. If the ransom is not paid on time all the contents of your computer will be deleted and all your personal information such as your name, address, D.O.B., etc. will be published online, after this has been done the process, ram and motherboard will be fried. Any attempts to remove this virus will result in the consequences mentioned.

While the message accurately uses the Anonymous slogan, it goes downhill from there. “Tango down” is only used by Anonymous members when they take down a website, usually via a Distributed Denial of Service (DDoS) attack, not when they put malware on a computer. Furthermore, the group calls itself just “Anonymous” not “Anonymous Hackers Group.”

The use of British pounds suggests the creator of this malware is from the UK, although it’s possible this malware adjusts its message based on the operating system’s language settings. The rest of the message is your typical ransomware scam: pay up, or else. Users are told to send the money via Ukash to unlock their computers in “1 to 3 hours.”

The sample is supposed to be just 48,128 bytes in size, and its MD5 hash is dece32561247309ddb9ad5c0d1024e56. A VirusTotal report shows that 23 out of 44 security solutions can detect it as malware.

Anonymous advocates for freedom of information and for freedom of speech, so it’s doubtful the group has created this threat. That being said, it is an effective way of scaring ignorant users who may not know much about the collective, except that they are “hackers” – which is often portrayed in the media as “bad people” or just “criminals.”

While it is very unlikely that Anonymous is behind this threat, this demonstrates the problem with the group: anyone can claim they are a member. This has happened before, and Anonymous members usually take revenge, so if I were the malware author in this case, I would watch my back.

Image credit: Sam Savine