16 crime gangs control world ransomware assault: Symantec

  • Liam Tung (CSO Online)
  • — 09 November, 2012 13:55

Ransomware distributors are raking in around $5 million dollars a year and the spoils are being spread amongst just 16 crime groups, according to Symantec.

Symantec’s latest research report suggests police-themed ransomware could be a replacement to the once-lucrative fake antivirus “scareware” trade.

But ransomware still remains some way off scareware, which netted one scheme $100 million over several years. Symantec’s estimates suggest a significant but not yet thriving crime business, which delivers each operation, on average, $300,000 a year.

Ransomware typically demands fees of AU$100-200 from victims and is generally coupled with the threat of data destruction or in its lesser form, blocked access to a computer.

The threat could easily pose as the Australian Federal Police or, as one campaign targeted at UK consumers, the hacker network Anonymous. There are currently three main police ransomware targeting Australians, according to the botnets.fr malware wiki. The latest version, emerging at the beginning of November, is most likely the product of an affiliate program that lets distributors create their own version of ransomware, according to a maintainer of the botnets.fr wiki.

While police ransomware presents similar messages, Symantec’s research suggests an evolution in the market with crime gangs turning to a wider range of trojans to support the schemes.

In the last two months, five new trojans have been employed in such campaigns, marking a departure from early 2011 when the number of variants were few.

The security vendor has pin-pointed the variation in one stream of ransomware to a single unidentified individual who has been “programming ransomware on request” for several gangs. Ransomware’s evolution is similar to the scareware market’s trajectory, according to Symantec.

One upshot for potential victims of ransomware that Symantec highlights is that it’s a noisy scam which screams infection and could prompt victims to run a full clean-up on their systems and in the process remove other malware that helped it get there in the first place.

“The presence of ransomware on a computer will usually prompt the computer owner to clean the machine thoroughly, removing any malware from it,” says Symantec.

This might have a knock-on effect of disrupting the distribution network.

“Malware distribution networks may refuse to distribute such obvious malware, forcing the ransomware gangs to develop their own distribution methods.”

But currently facts don’t support the theoretical possibility. In Europe, where police ransomware first emerged as the alternative to its porn-accusing predecessor, victim rates remain higher than other parts of the world. One unnamed European bank pegged Q2 2012 earnings at a minimum of AU$1.04 million and a maximum of $2 million, which was a more than two-fold growth on both extremes in Q1 2012.

Symantec estimated one ransomware gang was able to convert 2.9 per cent of ransom threats to actual paying victims, in line with the 3 per cent reported by London’s Metropolitan Police in August this year.

Extrapolating from an infection count of 68,000, Symantec estimated the earnings could have netted the gang $33,600 in one day.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: symantec, ransomware

Symantec draws new security picture

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Identity & Security Management

Identity and Security Management

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.