The gang using the Citadel malware platform to deliver ransomware is now using the name of the Internet Crime Complaint Center in a scheme to intimidate victims into paying.
The Internet Crime Complaint Center (IC3) is a partnership between the FBI and the National White Collar Crime Center. In an advisory, officials warned that the attack infects users with a strain of ransomware known as Reveton—serving as another example of the rising incidence of ransomware in the past year.
In a recent paper, researchers at Symantec analyzed a command and control (C&C) server for a single ransomware family and calculated that the gang behind it earned approximately $394,000 from their scheme in a single month.
“Ransomware threats are getting all too common,” said Kevin Haley, director of Symantec Security Response. “In fact, we recently predicted that 2013 will see ransomware such as this become the next big online scam, overtaking fake AV. We also noted that from here on out, we’re going to see these threats get much more professional looking and sophisticated as cyber criminals refine the scam and up the fear factor. We believe the uptick in the number of these threats and number of gangs investing in this area is quite simple: it’s profitable.”
According to IC3, the Reveton attack begins with a drive-by download that results in the ransomware being installed on the victim’s computer.
“Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law,” the advisory notes. “The message further declares that a law enforcement agency has determined that a computer using the victim’s IP address has accessed child pornography and other illegal content.”
The warning about the illegal content appears as a message from IC3. To get back full access to their computer, the victim is ordered to pay a fine using prepaid money card services; which service is determined by the geo-location of the user’s PC.
In addition to Reveton, the Citadel malware continues to operate on the compromised machine and can be used to launch online banking and credit card fraud. Citadel was born from the infamous ZeuS toolkit, which had its source code leaked onto the Internet in 2011. Since then, it has grown to be one of the more sophisticated financial malware platforms on the Web today.
“With over 16 gangs currently involved in spreading ransomware we’re seeing multiple methods being used to infect users,” Haley said. “It appears the particular gang related to the Internet Crime Complaint Center is using Citadel to spread the Reveton—also known as Ransomlock.G—ransomware. This threat has been around since May of 2011. However, we recently observed that its spread has accelerated and become increasingly international.”
It’s particularly effective because the attackers behind it are quick to implement the latest exploit kits and social engineering tricks, he added.
“Cyber-crime scams, like traditional crime, typically have a shelf life,” he said. “In other words, a scam is only effective until enough people become aware of it that it is no longer a viable means of making money. Fake AV was a viable money-maker for cyber-criminals for quite some time, but it is starting to fade. It looks like ransomware might be the next big thing.”