FBI Ransomware

malware analysis fake fbi ransomware

Today we analyze a variant of "Scareware" that poses as the FBI. It accuses the user of various criminal misconducts and demands a $150 "fine" to restore access. Unlike modern sophisticated ransomware, this sample is a screen locker that can be bypassed without paying.

Filename: VIDEOMP419389183-14.MP4.exe
MD5: C8C53340FBCE3B76AEB7E49EE6F88869
Sample: Download via Reverse.it



Video Walkthrough



Initial Analysis & Unpacking

The malware uses a double extension (MP4.exe) to trick users into thinking it is a video file. Static analysis reveals that the executable is packed with UPX (Ultimate Packer for eXecutables).

Using the UPX utility, we can easily unpack the file to reveal the original code. Inside the unpacked binary, strings indicate an embedded secondary executable. This "stage 2" binary is the actual ransomware component.



Persistence & Execution

The malware ensures it survives a reboot by utilizing a Windows Batch file. This script performs the following:

  • Creates a directory at Desktop/ElmerLock/.
  • Copies itself to FBI.exe.
  • Places a copy in the User's Startup folder.

Upon execution, the program creates a full-screen window that "locks" the desktop, disabling common keys like the Windows Key or Task Manager access through basic focus-stealing techniques.



Bypassing the Lock

The malware authors include a "payment verification" system that is entirely local. By reverse-engineering the Button1_Click event in the binary, we can find the hardcoded unlock codes used for testing or emergency access.

  • Unlock Code 1: 19398372
  • Unlock Code 2: 1830298
  • Unlock Code 3: 8908978

Entering these codes will close the lock screen and provide the user with manual removal instructions, effectively admitting the "FBI" facade is fake.



Detection

Most modern AV solutions flag this variant immediately due to its use of the UPX packer and well-known "ElmerLock" signatures. There is no active network beaconing as the "Bitcoin" payment is handled via manual email communication to [email protected].



Conclusion

This "FBI Ransomware" is a classic example of social engineering paired with a simple screen locker. Because it does not actually encrypt user data (unlike modern cryptovariants), recovery is straightforward once the hardcoded unlock strings are identified. The naming conventions suggest a direct link to the ElmersGlue malware campaign.



Happy hunting.