Symantec released new research this morning highlighting what it calls a rapid expansion of ransomware scams throughout Western Europe, the United States and Canada. The research conservatively estimates that cybercriminals are extorting over $5 million a year from victims.
Takeaways from the report, available here, include the following:
--Up to 2.9 percent of victims end up paying ransoms.
--That number is significant given fees range up to $460 and a single gang was observed attempting to infect 495,000 computers over just an 18 day period.
--It also highlights the professionalization of ransomware as it becomes a popular ploy among numerous cybercrime gangs. Of particular note is the use of social engineering to convince users that they are being required to pay a fine by local law enforcement for browsing illicit materials.
From the report:
Recent variants use law enforcement imagery to add legitimacy to the warning messages. The malware uses geo-location services to determine the location of the computer it is running on and then, after locking the computer displays a message appropriate to that country. The message usually claims that the user has broken the law by browsing some illegal material. Figure 1 is an example of a ransomware variant that displays a message claiming to be from the FBI.
Ransomware has been in existence since 2009 and initially targeted users in Russia and Eastern Europe. It has since become a global problem, spreading first throughout Europe and, in more recent months, has begun targeting users in North America. At least 16 different versions of ransomware have been identified over the past year and a half. Each version is not an ‘upgrade’ from a previous version, but rather a unique variant, associated with a separate gang. These gangs have independently developed, or bought, their own different version of ransomware. The gangs are not new to cybercrime; they have been associated with other threats and scams in the past such as banking Trojans and rogue antivirus programs. Ransomware has now become a more lucrative enterprise for them.
The operations are highly profitable, with as many as 2.9 percent of compromised users paying out. An investigation into one of the smaller players in this scam identified 68,000 compromised computers in just one month, which could have resulted in a fraudster obtaining up to $400,000. A larger gang, using malware called Reveton (Trojan.Ransomlock.G), was detected attempting to infect 500,000 computers over a period of 18 days. Given the number of different gangs operating ransomware scams, a conservative estimate is that over five million dollars a year is being extorted from victims. The real number is, however, likely to be much higher.
CSO has also observed a steady uptick in ransomware, especially in the past year.
In March, we reported that a ransomware application was making the rounds, locking computers and asking their owners to pay fines for allegedly violating several laws through their online activity. A month before that, we reported that a new ransomware variant was preventing infected computers from loading Windows by replacing their master boot record (MBR) and displays a message asking users for money. The research cited in both stories came from Trend Micro.
Though Symantec's report says ransomware has existed since 2009, a look through our own archives shows that the threat goes back further than that. One story in 2007, "The return of ransomware," noted at the time that the technique gained a moment of notoriety in 2006 when one such attack managed to make the news.