So a friend of a friend was watching porn online and contracted a nasty virus. No, not that kind of virus—we’re talking about ransomware. The malware often announces itself in a pop-up and (wrongly) informs a computer user that their machine has been commandeered by law enforcement for illegal activity. It will not be unlocked, the message says, until a fine is paid. Carriers are often porn sites, so victims are easily conned into believing the message is real. Whether or not the victim recognizes this for the scam it is, their computer is unquestionably unusable until the virus is removed.
Ransomware was first seen in Russia and Russian-speaking countries in 2009, according to the Symantec whitepaper “Ransomware: A Growing Menace.” The first known instance of the tactic was in a Cyrillic pop-up that claimed to be a message from Microsoft. It alerted the user that the computer had to be activated by the company before use by obtaining a code via an SMS message. That message was then sent to a premium-rate number that charged the victim.
The perpetrators subsequently improved on their tactics—and profits—by going the shame route. A pornographic image replaced the Microsoft-branded one and its promised removal cost ballooned to around $460.
The next practical step was to move from shame to fear. In its current form, the malware generates a popup that purports to be from law enforcement and demands that the user pay a fine for illegal activity (most often an alleged viewing or distributing of illegal pornography) conducted on the computer. Lately, it’s taken the even more scaremongering tactic of speaking its message in the language of the victim’s country.
In its most recent incarnation, first reported by Trend Micro, the pop-up notification tries to validate itself by claiming that it’s under the aegis of a December 4, 2012, treaty between antivirus vendors and law enforcement to identify cyber criminals. Beneath the message are the logos of companies, such as Symantec, McAfee, Trend Micro, Microsoft, and ZoneAlarm. It’s even been masquerading as the Internet Crime Complaint Center (IC3), a partnership of the FBI and the National White Collar Crime Center that filters complaints about scams such as ransomware to the appropriate authorities.
HIT AND RUN
Even when the victim pays the requested price, however, the scammers will not restore the computer. Symantec notes that much ransomware is incapable of doing so, as it does not even contain the code to uninstall itself. Forums are filled with stories of people who have paid the amount of money that has been asked of them, but are still left infected with the virus.
On a Yoo Security forum, a commenter named Kevin writes, “I’m concerned. My laptop has been blocked with this FBI message since Tuesday evening. It won’t let me in unless I pay $400.00 via moneypak. I paid the $400.00 yesterday morning and the computer is still locked. Question? did my $400 actually goes somewhere, and how do I unlock this laptop.”
One YouTube video detailing how to remove the virus has a comment from Patriot2572, a victim twice over: “I paid the $300 and now it is requesting $600 after it was ‘rejected’ but i called moneypak and they said it the money was picked up by someone in Romania..
The virus has even caused some affected users to abandon their favorite sites. In October, online community SodaHead user my2cents announced to forum friends: “I’m just letting you all know that I am leaving SodaHead. About two weeks ago, my computer got locked by the FBI scam while on SodaHead…I can’t take the chance of that happening again, so I’m saying adios to SodaHead. I’ll miss you all, but keep up the good fight. And don’t let the bastards get you down!”
Although it is colloquially known as ransomware, the virus is called Reveton. It’s designated as a driveby—catchable by just visiting a compromised site. Those sites are often porn sites, a fact that helps give credence to the displayed message that the user was engaged in illegal activity. Specifically, child pornography is often cited.
The scam is made even more believable because the virus is specialized, detecting the computer’s location and issuing a message that looks like it’s from a local authority. So U.S. victims often see the FBI logo, Canadians see that of the Canadian Security Intelligence Service, Austrians see the mark of the Austria Police, and so on.
Ransomware attacks computer users all over the world. Malware researcher Kafeine and others maintain an ever-growing gallery of screenshots of its variants on botnets.fr. Symantec, in mapping two ransomware variants, has shown that relatively few countries are untouched. As Kafeine points out in a post, the virus quickly adapts to its surroundings, sometimes starting out with the look and language of, say, the U.K. variant and then quickly switching to the local language and the insignia of a local authority. Ransomware has recently found its way to Iran, which monitors and restricts the Internet for its citizens, undoubtedly making the message particularly frightening for victims and, thus, lucrative for the thieves.
Reveton locks the user’s computer. Even those not lured into parting with their money might find themselves unwittingly doing so. Reveton works with the Citadel malware platform, which can install other malware so that even after Reveton is removed, keystroke loggers can capture usernames, passwords, and credit card information.
Security blogger Brian Krebs reported that Kafeine, who runs the blog Malware don’t need Coffee, believes the Blackhole exploit kit is ultimately responsible. The app works by taking advantage of security holes in browsers, Flash, and Java.
Symantec reports that there are around 16 ransomware gangs. The Metropolitan Police recently arrested three individuals in England: One man was charged with suspicion of conspiracy to defraud and another man and a woman were charged with suspicion of conspiracy to defraud, money laundering, and possession of items to defraud.
CRIME DOES PAY
The Symantec report states that “a conservative estimate is that over $5 million dollars a year is being extorted from victims.” Kafeine shared with the blog Krebs on Security screenshots of scam stats pages maintained by criminals. One scam netted about $34,500 in one day and $54,000 the next.
The ransomware price is often demanded in prepaid electronic payment form, meaning that there’s no chance for the victims to recover the funds once they realize they’ve been scammed.
Ransomware victims in the United States are primarily asked to pay by using MoneyPak, an electronic payment system run by financial services provider Green Dot. MoneyPak is a natural choice for criminals because it’s widely available (MoneyPak prepaid cards are available at over 50,000 locations, such as CVS, Walgreens, and Walmart, across 49 states), virtually untraceable, and nonrefundable. MoneyPak lists the ransomware scam as the first one on its list of “Most Common Scams to Avoid.”
“Green Dot is committed to educating consumers about how to avoid being victims of financial fraud scams and works closely with law enforcement to help enhance these efforts,” a company spokesperson told PC Magazine. “In response to the FBI ransomware scam, Green Dot has partnered with the FBI and the Department of Justice’s Computer Crime and Intellectual Property Division to support their ongoing investigation.”
The MoneyPak site informs users that “[i]f you give your MoneyPak number or information about the purchase transaction to a criminal, Green Dot is not responsible for paying you back. Your MoneyPak is not a bank account. The funds are not insured against loss.” Nevertheless, the spokesperson said, “Consumers are encouraged to immediately report fraudulent activity to Green Dot by calling 1-800-GREENDOT so we can attempt to recover any funds that have not already been removed by a scammer and can continue working with law enforcement to identify the origin of these activities and these abuses.”
Ukash, an offering from London-based Smart Voucher, has similar benefits and is often used in ransomware scams abroad. Instead of a prepaid card, Ukash is a 19-digit code that electronically substitutes for cash. It’s available at over 420,000 locations in more than 55 countries. It’s an excellent tool for thieves because money can’t be refunded once it’s spent. Ukash’s terms and conditions state, “[o]nce Ukash has advised a Participating Merchant that a submitted voucher code and amount are validated, Ukash has no means of subsequently withdrawing such validation and the voucher code and amount will be considered redeemed and cannot be used again.” And the responsibility for verifying the credibility of a recipient of Ukash is on the user: “You cease to be the holder of the Ukash if you provide the details of the Ukash voucher code to some other person… whether such a person is acting unlawfully or is guilty of misrepresentation.”
“We are saddened to hear of people falling victim to scams involving fictitious products or services which ask for payment by Ukash,” said David Hunter, CEO of Ukash, in a statement to PC Magazine. “We take this very seriously as Ukash is designed specifically to help people shop safely online, removing the need to reveal personal financial details.”
Hunter said Ukash works with the police and also to educate the public, noting warnings about scams on vouchers and on Ukash’s website.
Often alongside the Ukash logo is that of paysafecard, a similar type of online payment service. Ludger Voetz, a paysafecard spokesman, told PC Magazine, “paysafecard group is aware of the problem and is doing everything they can to prevent these attempts at fraud. Paysafecard group works in close cooperation with the police, and support the police with their investigations, in order to stop the fraudsters.”
Voetz pointed out that paysafecard issued a press release last year as a warning to its customers. It reads in part: “The paysafecard group distances itself from these attempts and points out that public authorities, institutions, law firms, and courts do not accept paysafecard as a means of payment. Paysafecard should only be used for payments at authorized online shops of official partners. Instructions to pay a fee or a fine by using a paysafecard should never be followed. Those affected should contact the police.”
Prevention is the best cure, so keep all software—especially antivirus applications—up to date. Neil Rubenking, PC Magazine’s lead analyst for security, says, “The chance that ransomware or some other type of malware will slip past is slim, if you choose one of our recommended products.” (See the sidebar earlier in this story for our top choices.)
You should back up your data so that you can restore it if your computer does become infected. Should the worst occur and ransomware shows up on the screen, Rubenking says your best bet is to attempt cleanup using a bootable rescue CD, something that many security vendors supply for free. “Of course, you’ll have to download and burn the CD on a clean system,” Rubenking points out. “Norton Power Eraser is a good example.”
Rubenking also recommends bootable USB solutions, which are designed for the same issue of not being able to get past a screen. “FixMeStick 2013 boots into its own Linux installation and handles scanning for malware automatically; you don’t have to interact until you give it permission to clean up what it found,” Rubenking says. He adds that HitmanPro 3.7 is specifically designed to fight ransomware threats.
If you’re not comfortable handling the job on your own, contact a professional to do it. “If you somehow get hit with ransomware, absolutely do not pay up,” Rubenking says. “Do not contact the crooks, even if they claim they’re the FBI.” But you should report ransomware to IC3.