Ransomware distributors are raking in around $5 million dollars a year and the spoils are being spread amongst just 16 crime groups, according to Symantec.
Symantec’s latest research report suggests police-themed ransomware could be a replacement to the once-lucrative fake antivirus “scareware” trade.
But ransomware still remains some way off scareware, which netted one scheme $100 million over several years. Symantec’s estimates suggest a significant but not yet thriving crime business, which delivers each operation, on average, $300,000 a year.
Ransomware typically demands fees of AU$100-200 from victims and is generally coupled with the threat of data destruction or in its lesser form, blocked access to a computer.
The threat could easily pose as the Australian Federal Police or, as one campaign targeted at UK consumers, the hacker network Anonymous. There are currently three main police ransomware targeting Australians, according to the botnets.fr malware wiki. The latest version, emerging at the beginning of November, is most likely the product of an affiliate program that lets distributors create their own version of ransomware, according to a maintainer of the botnets.fr wiki.
While police ransomware presents similar messages, Symantec’s research suggests an evolution in the market with crime gangs turning to a wider range of trojans to support the schemes.
In the last two months, five new trojans have been employed in such campaigns, marking a departure from early 2011 when the number of variants were few.
The security vendor has pin-pointed the variation in one stream of ransomware to a single unidentified individual who has been “programming ransomware on request” for several gangs. Ransomware’s evolution is similar to the scareware market’s trajectory, according to Symantec.
One upshot for potential victims of ransomware that Symantec highlights is that it’s a noisy scam which screams infection and could prompt victims to run a full clean-up on their systems and in the process remove other malware that helped it get there in the first place.
“The presence of ransomware on a computer will usually prompt the computer owner to clean the machine thoroughly, removing any malware from it,” says Symantec.
This might have a knock-on effect of disrupting the distribution network.
“Malware distribution networks may refuse to distribute such obvious malware, forcing the ransomware gangs to develop their own distribution methods.”
But currently facts don’t support the theoretical possibility. In Europe, where police ransomware first emerged as the alternative to its porn-accusing predecessor, victim rates remain higher than other parts of the world. One unnamed European bank pegged Q2 2012 earnings at a minimum of AU$1.04 million and a maximum of $2 million, which was a more than two-fold growth on both extremes in Q1 2012.
Symantec estimated one ransomware gang was able to convert 2.9 per cent of ransom threats to actual paying victims, in line with the 3 per cent reported by London’s Metropolitan Police in August this year.
Extrapolating from an infection count of 68,000, Symantec estimated the earnings could have netted the gang $33,600 in one day.