Ransomware, a Quick-and-Dirty Bribery Scam, Targets Europe

Rather than encrypt the entire hard drive, criminals are using fairly unsophisticated ransomware to lock a victim's PC and then demand cash for the keys.

By: Robert Lemos

A typical digital kidnapping often begins with the victim inadvertently running a malicious program. The ransomware, as such programs are called, then encrypts the computer hard drive and offers to sell the victim the encryption key for a small fee.

Over the past few months, security professionals have engaged in a cat-and-mouse game with a number of groups using similar tactics. Recent versions targeting Austrian, Dutch, English, French, German and Swiss computer users, for example, employ a simpler method of locking the computers-by running a small program that loads at the system startup and forces the user to enter in a code before allowing them to log in. To dissuade the victims from going to the authorities, the software claims to have locked the computer for violations under copyright laws or-in earlier versions of the ransomware-under child porn and terrorism laws.

Ransomware is not generally considered a major threat-only an occasional oddity-but the increase in recent activity may indicate that criminals are having some success with the scam.

"From my perspective, it has become quite popular," a manager for Abuse.ch, a botnet-tracking site based in Switzerland, said in an email interview. "I don't know the reason why, but probably because it's not difficult to write ransomware-so a small effort, but very effective." The manager asked not to be named for privacy reasons.

In a post published Aug. 3, Abuse.ch-a site known for its tracking of major botnets, such as Zeus and SpyEye-noted that the latest scheme spreads through a popular infection vector, the Blackhole exploit kit. Using such cyber-criminal toolkits, attackers can build Websites that exploit software vulnerabilities on visitors' systems to install malicious software.

Once installed, the ransomware uses geolocation to determine the country of the victim and then displays a notice specific to the country, demanding that the user pay a fee to unlock the system. Oddly enough, while the malware makes an effort to identify the victim's location, all the notices are written in German, the analysis stated.

The attack has become popular enough that Poland's Computer Emergency Response Team (CERT Polska) published an advisory detailing two methods of unlocking an infected computer without paying the ransomers. Prior to the advisory, the CERT had created a utility to generate fake keys for the user to unlock their own system, but more recent variants of the ransomware defeated the workaround.

The methods outlined by the CERT would allow users to remove the malware, even when they could not boot the system, the advisory stated.

"Malware very often adds itself to the list of applications that start when operating system boots up," according to the CERT alert. "By doing so, it makes sure that when a user removes it during the system run, it will infect the machine again at another boot. The only solution is to prevent software from running at system start."

The two methods basically amount to using Microsoft Windows' Safe Mode to boot up the machine and manually remove the malware, or using a recovery CD from an antivirus vendor to clean the system.

With such workable solutions, it's unlikely that the criminals will be paid their 100-euro fee for keys, but the ease with which the attack can be mounted likely makes it worthwhile for now, according to Abuse.ch.

"I think it is just a temporary trend until someone finds a better idea to make money easier," said the manager.