Ransomware pays. A lot. These extortion scams, in which infected computers are essentially locked down by malware and electronic payment is demanded for a supposed cure, can net the criminal behind the scam as much as $33,000 per day.
Symantec studied 16 variants of independently developed ransomware over the last two years and found the potential for stunning profits and a surprising willingness on the victim’s behalf to pay up. While these schemes had been limited initially to Russia and the rest of Eastern Europe, more of it has been discovered in the United States and Canada.
“Given the number of different gangs operating ransomware scams, a conservative estimate is that over $5 million dollars a year is being extorted from victims,” wrote Symantec researchers Gavin O’Gorman and Geoff McDonald in a report “Ransomware: A Growing Menace.” “The real number is, however, likely much higher. From just a few small groups experimenting with this fraud, several organized gangs are now taking this scheme to a professional level and the number of compromised computers has increased.”
The most common ransomware involves malware that disables a computer and puts up a banner claiming to be from local law enforcement. The malware determines the geo-location where it has been downloaded and customizes the law enforcement message accordingly. For example, infected computers in the U.S. will display a message purporting to be from the FBI. The scam claims the user has viewed or downloaded copyrighted or illicit material and must pay a fine in order to have their computer restored, or face arrest.
Victims were required to pay their “fines” via a prepaid electronic payment system that required them to purchase a special PIN from vendors such as Moneypak, Paysafecard or Ukash; that valid PIN is the fraudster’s ultimate target.
Users are infected most commonly via drive-by downloads where popular websites are infected with a malicious advertisement or iFrame connecting to the criminal gang. Most of these scams target pornographic websites, Symantec said, and the ransomware locks the victim’s computer and puts up a message about viewing prohibited images. Payment of $200 is required within 72 hours, the scam demands. The criminal is counting on the victim to pay up to avoid the embarrassment of being caught viewing pornography, Symantec said.
“This payment PIN will then be sent by the ransomware to a C&C server where the attackers can retrieve it,” the Symantec report said. “At this point, the attackers should honor their promise and send a command to the ransomware telling it to uninstall itself. Unfortunately, this rarely happens. In actuality, many of the ransomware variants do not even contain the code to uninstall themselves.”
The victim must have his computer cleaned of the infection. The criminal, meanwhile, launders the stolen PIN, either trading it in an online forum, or using it to gamble online or buy exploit packs, Symantec said.
The profit potential is noteworthy. Symantec watched one particular variant of the Ransomlock Trojan from September through October and saw 68,000 unique IP addresses connecting to the command and control server; 5,700 in one particularly busy day. Of the 5,700, 168 PINs were entered resulting in $33,600 in revenue, a 2.9 percent turnover—that’s almost $400,000 in one month.
“This recent increase in variants may be related to established online criminals branching out into ransomware from other scams,” Symantec said.
In August, the FBI warned of a similar scam involving the Reveton malware, which was related to the Citadel banking Trojan. Reveton included a fake FBI warning that the victim’s IP had been linked to child pornography. The FBI said some people paid up and still required help removing the malware, which in some cases also included a keylogger.