16 crime gangs control world ransomware assault: Symantec

Ransomware distributors are raking in around $5 million dollars a year and the spoils are being spread amongst just 16 crime groups, according to Symantec.

Symantec’s latest research report suggests police-themed ransomware could be a replacement to the once-lucrative fake antivirus “scareware” trade.

But ransomware still remains some way off scareware, which netted one scheme $100 million over several years. Symantec’s estimates suggest a significant but not yet thriving crime business, which delivers each operation, on average, $300,000 a year.

Ransomware typically demands fees of AU$100-200 from victims and is generally coupled with the threat of data destruction or in its lesser form, blocked access to a computer.

The threat could easily pose as the Australian Federal Police or, as one campaign targeted at UK consumers, the hacker network Anonymous. There are currently three main police ransomware targeting Australians, according to the botnets.fr malware wiki. The latest version, emerging at the beginning of November, is most likely the product of an affiliate program that lets distributors create their own version of ransomware, according to a maintainer of the botnets.fr wiki.

While police ransomware presents similar messages, Symantec’s research suggests an evolution in the market with crime gangs turning to a wider range of trojans to support the schemes.

In the last two months, five new trojans have been employed in such campaigns, marking a departure from early 2011 when the number of variants were few.

The security vendor has pin-pointed the variation in one stream of ransomware to a single unidentified individual who has been “programming ransomware on request” for several gangs. Ransomware’s evolution is similar to the scareware market’s trajectory, according to Symantec.

One upshot for potential victims of ransomware that Symantec highlights is that it’s a noisy scam which screams infection and could prompt victims to run a full clean-up on their systems and in the process remove other malware that helped it get there in the first place.

“The presence of ransomware on a computer will usually prompt the computer owner to clean the machine thoroughly, removing any malware from it,” says Symantec.

This might have a knock-on effect of disrupting the distribution network.

“Malware distribution networks may refuse to distribute such obvious malware, forcing the ransomware gangs to develop their own distribution methods.”

But currently facts don’t support the theoretical possibility. In Europe, where police ransomware first emerged as the alternative to its porn-accusing predecessor, victim rates remain higher than other parts of the world. One unnamed European bank pegged Q2 2012 earnings at a minimum of AU$1.04 million and a maximum of $2 million, which was a more than two-fold growth on both extremes in Q1 2012.

Symantec estimated one ransomware gang was able to convert 2.9 per cent of ransom threats to actual paying victims, in line with the 3 per cent reported by London’s Metropolitan Police in August this year.

Extrapolating from an infection count of 68,000, Symantec estimated the earnings could have netted the gang $33,600 in one day.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecransomware

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place