At the Security Labs, we see no shortage of peculiar things day in and day out. Today, our winner for Most Peculiar of Tuesday is this IP address: 193.169.87.14. 

fbiransomware_ip_sgraph

It is barely anything new:  the classic FBI ransomware that locks down browsers asks the victim to pay a fine by one of the locked windows as shown below:fbi_lockwindow

A big spread of this campaign targeting OS X Safari was reported in mid-July. OS X Chrome was NOT vulnerable back then. Well—it is now. An easy fix is to force close the locked browser or clicking “Leave this page” 150 times to get your way out, whichever works to your taste.  

Security researchers (Dhia’s write-up @DhiaLite, a blog post by @ydklijnsma) have reported a couple of other IP addresses prevailing with the same campaign.

91.220.131.108

91.220.131.106

91.220.131.56

Prefix      ASN Owner
91.220.131.0/24          44050        

PIN-AS Petersburg Internet Network LLC 86400

 

They are taking the game to a new AS and IP prefix. 

 193.169.87.14 

Prefix     ASN Owner
193.169.86.0/23          48031           

XSERVER-IP-NETWORK-AS

PE Ivanov Vitaliy Sergeevich 86400

 

 

 

 

ip_fbi_ransomware.jpg

For anyone who’d like to study these campaigns further, we posted 1000 domains from this campaign here. Please feel free to contact if you need more info. 

This post is categorized in: