Ransomware crooks make millions from porn-shaming scams

'It really puts the screws to you,' says Symantec director of spike in PC extortion racket

Ransomware is a growth industry that puts at least $5 million annually into criminals' coffers, Symantec said Thursday.

"If you look at the nature of the beast, it really puts the screws to you," said Kevin Haley, director of Symantec's security response team, in an interview yesterday. "We see so many gangs moving to ransomware, looking for new angles, new versions [of the malware], that we're going to see a lot of this in the future."

"Ransomware" is a long-standing label for malware that once on a personal computer cripples the machine or encrypts its files, then displays a message -- the ransom note -- that demands payment to restore control to the owner.

"It's an extortion racket," Symantec said in a white paper on the topic published Thursday.

The criminal strategy has been in play for at least a half-dozen years, but until relatively recently, was rare, ineffective and focused on Eastern European victims.

That's changed, said Haley, who ticked off a whole host of improvements to the scam, ranging from a more reliable payment mechanism and stronger encryption to completely locking up the PC and thwarting repairs by shaming the victim with on-screen pornography.

They've also expanded their hunting territory. "It began in 2011, when they started to move out of Eastern Europe, to Germany and the U.K., then began to move westward to the U.S," said Haley. From the first to the third quarters of 2012, for example, Symantec tracked a significant uptick in ransomware infections in the U.S.

Today's ransomware displays a message claiming that because the user browsed to illegal pornographic websites, the computer had been locked and a fine must be paid to regain control. The "fines" range between 50 and 100 in Europe, and are usually around $200 in the U.S.

The porn angle is ingenious, said Haley.

"The screen and keyboard are locked up," Haley said of the malware's impact. "All you can use is the number keypad to enter a PIN [to pay the criminals]. You're completely shut out of the computer. And few people will want to take their computer to someone for repair, because the screen says that you violated the law, and that you've been looking at pornography. And there's a pornographic image on the screen."

Symantec was able to estimate what criminals earn from ransomware after uncovering a command-and-control (C&C) server used by one family of the malware.

In a month-long stretch last summer, the server logged approximately 68,000 unique IP addresses representing infected PCs. During one 24-hour span, the server was pinged by 5,700 infected machines, 168 of which showed signs of having paid the ransom, a rate of about 3%.

The ransom note demanded $200 from each victim, putting $33,600 in the criminals' pockets. Extrapolating the 68,000 infections over the course of a month put the total at nearly $400,000.

Those amounts are maximums, said Symantec, since the criminals will lose some as they launder the money from the pre-paid cash cards that they tell victims to use to make ransom payments.

"Given the number of different gangs operating ransomware scams, a conservative estimate is that over $5 million a year is being extorted from victims," said Symantec's published report. "The real number is, however, likely much higher."

The criminal groups active in ransomware come from various backgrounds, said Haley. Some had been dealing scams that relied on fake antivirus software -- often called "scareware" -- that Haley said had largely "petered out." Others had been spreading Trojan horses that hijacked bank account credentials. And some were simply opportunists.

"It's an evolution, just like in any business," said Haley. "Someone tries something new, then others build on that. Others see an innovation and they just jump on it, too."

With more criminals migrating to ransomware -- and because the scam is profitable -- Haley expects that the problem will grow, and quickly. "It's predominantly porn now, but they'll shift away from that model and find others," Haley predicted. "Ransomware isn't new, but what's happened is that they've found a way to make money."

Because the ransomware infects PCs using advertisements on compromised adult websites, Symantec recommended that users refrain from clicking on such ads, and to keep Windows, Java, Flash, Adobe Reader and Windows updated with the most recent patches.

The Symantec report on ransomware can be found on its website ( download PDF).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsymantecsecurityMalware and Vulnerabilities

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts