·         CNET

·         News

·         Security & Privacy

·         Ransomware a growing menace, says Symantec

Ransomware a growing menace, says Symantec

This type of scamware has jumped over the past year, both in number and variety, according to the security vendor.

 

by Lance Whitney

November 12, 2012 7:38 AM PST

A typical ransomware message.

(Credit: Symantec)

Cybercriminals gangs are creating a surge in ransomware, says a new report from Symantec.

Ransomware is a type of malware best described as an online extortion racket. Malware locks or disables your PC in some way and then demands payment in the form of a "fine" to render your PC usable again. Like most scams, the ransomware message claims to come from a legitimate organization, such as the government or a public corporation, to try to convince victims that they did something wrong to incur the fine.

But paying the fine does nothing since the initial malware remains on the PC and must still be manually removed.

This scam has risen in popularity over the past several years, but 2012 witnessed an increase in both the number and variety of ransomware campaigns, Symantec said in its report. That growth is due largely to a upsurge in the number of worldwide criminal gangs using this scheme to make a buck.

"From just a few small groups experimenting with this fraud, several organized gangs are now taking this scheme to a professional level and the number of compromised computers has increased," the report noted. "Symantec has identified at least 16 different versions of ransomware."

One malware investigation mentioned in the report discovered 68,000 affected computers in a single month. Another one caught a Trojan attempting to infect 500,000 PCs over the course of just 18 days.

Criminals go where the money is, and ransomware can be a cash cow. As much as 2.9 percent of all people affected by ransomware end up paying the ransom, Symantec said. Criminal gangs have stolen more than $5 million a year from unsuspecting victims, according to one estimate, however, Symantec believes the dollar amount to be much higher.

Though a variety of different gangs are active, many get their ransomware from the same source, the report said. A single individual, who remains unknown, seems to have a full-time job of developing ransomware to fill requests from the criminal gangs.

Related stories

• Ransomware resurrects the SOPA specter
• Worm spreading on Skype IM installs ransomware
• New malware strain locks up computers unless ransom is paid
• Apple's iOS and Android are new favorite malware victims

One of ransomware's weaknesses is that it's usually obvious, Symantec noted. Many users who receive such messages simply scan their PCs, which then removes the Trojan associated with the ransomware.

But as more users fail to fall for the scam, the criminal gangs may simply fine-tune their methods of attack.

"As awareness of these scams increases, the attackers and their malware are likely to evolve and use more sophisticated techniques to evade detection and prevent removal, the report said. "The 'ransom letter' will likely also evolve and the attackers will use different hooks to defraud innocent users."

For Norton users bitten by ransomware malware, Symantec provides a tutorial page on how to remove it. A video from the security firm also offers tips on how to avoid it in the first place.

Topics:

Cybercrime,

Security,

Vulnerabilities and attacks

Tags:

Symantec,

scareware,

security,

ransomware,

trojan,

malware

 

Lance Whitney

Lance Whitney wears a few different technology hats--journalist, Web developer, and software trainer. He's a contributing editor for Microsoft TechNet Magazine and writes for other computer publications and Web sites. 

9 comments

Join the conversation!Add your comment

My sister called me about this a few weeks ago. I had to explain to her it was a scam and to run her antivirus, which she conveniently hasn't run nor updated in months.

Posted by Norman_Smiley (32 comments )

November 12, 2012 8:14 AM (PST)LikeReplyLinkFlag

Have your sister download and install Avast antivirus, it auto updates it's virus definitions often once you're online, and it's always running it's protection continuously in the background.

Malwarebytes is probably the best I've known for removing these once they get in so keep that handy.

Posted by Macajuel (77 comments )

November 12, 2012 10:07 AM (PST)LikeLinkFlag

Can't these be removed by simply booting into safe mode and running Malwarebytes or Spybot (or any antivirus)?

Posted by WokaWokaHi (76 comments )

November 12, 2012 8:48 AM (PST)LikeReplyLinkFlag

It really depends, some modify files through encryption or just hiding them. Best bet is usually run a bootable CD virus scan.

Posted by dj_erik (70 comments )

November 12, 2012 8:56 AM (PST)LikeLinkFlag

So explain to me how when people pay the ransom with credit cards there isn't a huge paper trail showing exactly where the money goes?

Posted by sheerluck1 (130 comments )

November 12, 2012 9:01 AM (PST)LikeReplyLinkFlag

i had one of these on my pc, after the inital ten seconds of `***` i rebooted into safe mode (doesnt run programs in the startup options) then ran msconfig and disabled it from the start items - it was easy to find as these are generally stored in the temp drive on your pc - so rebooted in normal mode, and went into the temp folder and deleted it then ran another virus scan to be sure.

While posts like this one are all well and good from cnet, i honestly think telling people the easiest ways is going to help. linking to a norton advice page promoting norton products simply isnt helpful as step 1 is download the utility, well ya cant be doing that when your locked out of your pc now can you.

Posted by Davefromwales (1 comment )

November 12, 2012 9:23 AM (PST)LikeReplyLinkFlag

Anyone here read Reamde by Neil Stephenson? I honestly believe that ransomware will get to the point where it doesn't lock your computer or try to convince you that you should send them money. I think it will end up encrypting important data like word documents, spreadsheets, photos, videos, etc. All the thing that really matter on your computer. Pay the fee and get the unlock code. It makes sense for the unlock code to actually work as it will show people that paying the money makes sense. The big issue with this is how to launder the money, obfuscate the chain of payment, etc.

Posted by rapier1 (2692 comments )

November 12, 2012 9:24 AM (PST)LikeReplyLinkFlag

They already are doing that, see the below Sophos article.
http://nakedsecurity.sophos.com/2012/10/06/ransomware-encrypts-files-claiming-sopa-piracy-charges/

Posted by dj_erik (70 comments )

November 12, 2012 9:45 AM (PST)LikeLinkFlag

My guess is much of it is run by overseas outfits like the Russian Mafia who have all sorts of criminal back-end support to accept payments that are beyond the reach of any law enforcement in the U.S. (and their own governments are too corrupt or inept to prosecute).

Posted by Chibiabos (112 comments )

November 12, 2012 9:37 AM (PST)