Ransomware, malicious programs that lock a computer and uses police enforcement logos and terminology to intimidate victims has spread from Eastern Europe to Western Europe, the United States, and Canada over the past year. The scam has been professionalised from initial early attacks, with established criminal gangs now branching out into using it. Each gang has separately developed, or bought, their own different version of the Ransomware. This malware is highly profitable, with as many as 3% of compromised users paying out. An investigation into one of the players in this scam identified 68,000 compromised computers in just one month, which could have resulted in victims being defrauded of up to £250.000.
Ransomware which locked a screen and demanded payment was first seen in Russia/Russian speaking countries in 2009. The original messages claimed to be from Microsoft and displayed a screen with the Microsoft logos. It stated that your computer must be activated before you could use it. To activate, a specific number must be entered. This number is obtained by sending an SMS message to a premium rate number. The circumstance is completely false, however, and has nothing to do with Microsoft.
The next batch of Ransomware variants used a different tactic. Instead of claiming to be from Microsoft, the malware displayed a pornographic image and demanded payment to have this image removed. Payment could be made through either an SMS text message or regular call to a premium rate number. The idea of shaming victims into payment seems to have been an effective one, as all subsequent Ransomware variants used this idea. The messages were written in Russian and the premium rate numbers were Russian numbers. Throughout 2009 and 2010 there were several variations of this pornographic Ransomware. It was not until early 2011 that a substantial shift occurred in the operation of these.
In 2011 several major changes occurred. First, instead of using a pornographic image the new image purported to be from police & law enforcement. The software detected the location of the compromised computer and used the local language and logos. The text in the image would claim the computer was locked because a crime was committed and a fine was therefore necessary. The second major change was the scam was moving out of Russia into Europe. Finally, the last major change was the method of payment. No longer was an SMS or phone-based payment required. Abuse of prepaid electronic payment systems began.
How does it spread?
Fake police Ransomware can be installed on a computer in a few ways but the most common to date has been through Drive-by downloads. Drive-by download is a term used to describe how a piece of malware is installed on a user’s computer without them knowing when they browse to a website that has been compromised (hacked). The download occurs in the background and is invisible to the user.
The compromised website has had a hidden iFrame (a special redirect) embedded into the website by the attacker. This iFrame causes the user’s browser to actually connect to a second website containing an exploit pack. Exploit packs contain files that attack the user’s computer in different ways, which, if the computer is not fully patched, causes the browser to download a file (the malware).
As putting the iFrame into the first website is a difficult process. An alternative approach, which the Ransomware attackers have been using, is to buy advertising, which is then displayed on the website. The attackers approach an advertising company and provide them with a fake ad to be advertised. When clicked, the ad leads to the second website containing the exploit pack. The attackers have to pay for the advertising, but the return on their investment is more than enough to cover the cost.
Other ways malware could be installed on a computer could be through spam email, poor firewall protection or from a previous malware attack.
After the Ransomware has installed it proceeds to disable the computer by disabling execution of programs. A ransom is then demanded in an appropriate language and using local police logos by geo-locating the user’s IP address using an online service, which tells the Ransomware where the compromised computer is located.
Unfortunately, as with all scams the way this malware is distributed will evolve and spread with new strains, it is therefore important that your antivirus and security updates are kept updated.
How to protect yourself against ransomware
As with other malware and virus’ you can better protect your computer and business network against’ ransomware by:
• Ensuring Anti-Virus is installed, up-to-date ad running.
• Installing Anti-Malware software to specifically detect malware and ransomware.
• Upgrading basic internet router/firewalls to next generation or UTM firewalls.
• Being careful when online or accessing e-mail.
If you want to know more about how you can protect yourself against ransomware please contact LSA Systems.