A ransomware ring was taken down Wednesday in the United Arab Emirates and Spain by Europol and Spanish law enforcement, smashing an operation that netted more than €1 million annually.
The eleven individuals arrested included six Russians, two Ukrainians and two Georgians; the 27-year-old ringleader, a Russian, was arrested in the UAE. Police allege he built and distributed the ransomware to 22 countries. The 10 other individuals arrested are alleged to have been responsible for laundering the money earned in the schemes.
The arrests were made in six locations in the towns of Benalmádena and Torremolinos in the province of Malaga, Spain. Authorities seized computers, credit cards and Ukash, Paysafecard and MoneyPak vouchers used by victims to pay the “fines” associated with the ransomware. The accused had recently used the credit cards to withdraw €26,000 in cash that was to be delivered to Russia the day of the arrest, Spanish police said.
The malware, called Police Virus, would lock down a computer with a message purporting to be from local law enforcement. The message contains local police logos and accuses the victim of visiting an illicit website or file-trading service and demands a payment of €100 via one of the aforementioned offline methods to unlock the machine. In the background, the malware steals data and is not removed once a fine is paid. Authorities said this gang became active in May 2011 and there are more than 1,200 reported infections. In all, Spanish authorities estimate there could be victims in 22 countries.
“The financial cell of the network specialized in laundering the proceeds of their crimes, obtained in the form of electronic money,” Europol’s European Cybercrime Centre said in a statement, adding that the money was laundered using a number of tactics, including online gaming portals, electronic payment gateways or virtual coins. “They also used compromised credit cards to extract cash from the accounts of ransomware victims via ATMs in Spain. As a final step, daily international money transfers through currency exchanges and call centers ensured the funds arrived at their final destination in Russia.”
Police said the malware would monitor the user’s Web browsing and network geo-location to craft region-specific law enforcement messages used in the splash page upon infection. Victims would see a message that traffic on their computer was linked to child pornography, illegal downloads or terrorist activities. Payment would be required by using prepaid cards such as MoneyPak that contain registration codes which are used to keep the transaction anonymous.
Ransomware is profitable business for cybercriminals. In November, Symantec released a research report that concluded some high-end scams can earn as much as $33,000 daily. While relatively few victims are enticed to actually pay up—fewer than three percent—criminals are cashing in on millions annually.
Most ransomware has been limited to Russia and Eastern Europe, more infections are being reported in the West; some U.S. scams have been discovered and use messages purporting to be from the FBI or other top American law enforcement agencies.
Users are generally infected via drive-by download attacks on websites—generally pornography sites—hosting a malicious ad or iFrame. Victims, regardless of whether they pay, must have machines cleaned of the malware before they are restored.
Symantec said one variant of the Ransomlock Trojan, for one month between September and October 2012 had 68,000 unique IP addresses connecting to its command and control server; 5,700 in one particularly busy day. Of the 5,700, 168 PINs were entered resulting in $33,600 in revenue, a 2.9 percent turnover—that’s almost $400,000 in one month.
Reveton is another popular piece of ransomware, which uses an message from the FBI to scam victims. Reveton is linked to the Citadel banking Trojan; the FBI issued a warning last August about an increase in the number of Reveton infections.