Ransomware Scams Rising in North America, Europe: Symantec Report

One ransomware campaign conned victims into parting with a total of $400,000 in a single month, as cyber-criminals target victims in North America with the age-old scam.

Once thought a niche scam by cyber-criminals, ransomware is making a resurgence in Western Europe and North America, security firm Symantec said in a Nov. 8 report.

The scam, in which malware encrypts data or makes a victim's computer unusable unless a specific code is purchased, has likely reaped at least $5 million in the past year, according to the company. In a recent campaign discovered by the firm, for example, almost 70,000 computers were infected in a single month, of which 2.9 percent paid the ransom to unlock their systems—that totals $400,000 for a single month, the firm said.

"This is as bad as it comes, in terms of hitting below the belt," said Vikram Thakur, principal researcher for Symantec Security Response. "The attackers are targeting Europe and the U.S., because they think that people will pay up."

The latest ransomware attacks first targeted Russia and other former Eastern Bloc countries in the last two years. Attacks had jumped by half from the first quarter to the second quarter of 2012, according to security firm McAfee. In late summer, however, security experts noted that the attacks had started targeting victims in several Western European nations, including Austria, France, Germany, the Netherlands, Switzerland and the United Kingdom. Now, North American computer users are targeted as well.

The attack usually occurs through a Web exploit or a so-called drive-by download, where the user is redirected to a Website that attempts to install malware on their system. Most often, the attack happens without any indications to the user that their computer has been compromised.

While past ransomware scams would encrypt the hard drive or critical files and charge for the decryption key, the latest variants tend to lock the system by gaining system level access and blocking certain components from running. The program then displays a warning imitating local law enforcement that threatens to have them arrested if they do not pay a fine within 72 hours.

To lend additional sinister urgency to the ransom demand, one message displaying the seal of the U.S. Department of Justice warns victims that their IP address was used to visit explicit child abuse sites, adding that "spam-messages (sic) with terrorist motives were also sent from your computer."

Unlike other popular scams, such as fake antivirus software or banking trojans, ransomware prevents a victim from using their system or data. Unable to access their computer system, the victim typically becomes desperate, Thakur said.

"You have gone from being able to use your computer to nothing at all, and you have to rely on another computer or the phone to contact support or find help," he said.

Symantec and other antivirus firms do not recommend paying. Many times the criminals will not send a code key and just take the users' money. While some businesses attacked in Australia who complied with ransomers demand for Au$3,000 have gotten encryption keys, victims can never be sure, says Thakur.

"At the end of the day, they are asking for money with no guarantees," he said. "We have seen that code for uninstalling this ransomware does exist, but we believe that most of the groups don't even have that function in their malware."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...