Ransomware Uses McAfee SECURE, Police Logos to Scam Users

McAfee Labs researchers have seen an increase in instances of the McAfee SECURE logo being falsified as part of a “ransomware” campaign. Once a machine is infected, the malware checks to see which country the user is located in. It then displays a localized graphic containing a police logo and a message announcing that the machine has been locked and can be unlocked only after payment has been made via Ukash or a similar online payment mechanism. (For more on how ransomware operates, read this blog from my colleague François Paget.)

An infected machine located in Ireland might display an image similar to this:

However, an infected machine in Germany might look like this:

Both look official, yet both are unfortunately very much a scam. Users should never pay to have their machines “unlocked.” We often see this type of ransomware attempt to download further malicious software to the machine; so even if the machine has been unlocked there can be more malware waiting in the wings.

We have seen ransomware in various forms for many years, but new variants are regularly released by malware authors to try to avoid detection. As ever, users should keep their antivirus definitions updated, run a personal firewall and URL reputation software, and employ best security practices at all times.

We have seen the McAfee SECURE logo misused not just as part of this campaign, but also on malicious websites attempting to fool users into trusting the site. However, there are some simple steps you can follow to be sure that you are seeing the genuine article. You can read about those here. Furthermore, if you are using McAfee SiteAdvisor, true McAfee SECURE customers will be marked in your search results. Here’s an example.