Ransomware crooks make millions from porn-shaming scams

Computerworld - Ransomware is a growth industry that puts at least $5 million annually into criminals' coffers, Symantec said Thursday.

"If you look at the nature of the beast, it really puts the screws to you," said Kevin Haley, director of Symantec's security response team, in an interview yesterday. "We see so many gangs moving to ransomware, looking for new angles, new versions [of the malware], that we're going to see a lot of this in the future."

"Ransomware" is a long-standing label for malware that once on a personal computer cripples the machine or encrypts its files, then displays a message -- the ransom note -- that demands payment to restore control to the owner.

"It's an extortion racket," Symantec said in a white paper on the topic published Thursday.

The criminal strategy has been in play for at least a half-dozen years, but until relatively recently, was rare, ineffective and focused on Eastern European victims.

That's changed, said Haley, who ticked off a whole host of improvements to the scam, ranging from a more reliable payment mechanism and stronger encryption to completely locking up the PC and thwarting repairs by shaming the victim with on-screen pornography.

They've also expanded their hunting territory. "It began in 2011, when they started to move out of Eastern Europe, to Germany and the U.K., then began to move westward to the U.S," said Haley. From the first to the third quarters of 2012, for example, Symantec tracked a significant uptick in ransomware infections in the U.S.

Today's ransomware displays a message claiming that because the user browsed to illegal pornographic websites, the computer had been locked and a fine must be paid to regain control. The "fines" range between ¬50 and ¬100 in Europe, and are usually around $200 in the U.S.

The porn angle is ingenious, said Haley.

"The screen and keyboard are locked up," Haley said of the malware's impact. "All you can use is the number keypad to enter a PIN [to pay the criminals]. You're completely shut out of the computer. And few people will want to take their computer to someone for repair, because the screen says that you violated the law, and that you've been looking at pornography. And there's a pornographic image on the screen."

Symantec was able to estimate what criminals earn from ransomware after uncovering a command-and-control (C&C) server used by one family of the malware.

In a month-long stretch last summer, the server logged approximately 68,000 unique IP addresses representing infected PCs. During one 24-hour span, the server was pinged by 5,700 infected machines, 168 of which showed signs of having paid the ransom, a rate of about 3%.