Ransom Trojans Spreading Beyond Russian Heartland
Ransom malware has moved out of its traditional Russian market and is starting to become a measurable problem in countries such as the US and Germany, figures from Trend Micro have confirmed.
As reported by Trend's Smart Protection Network cloud, the US headed the list with just over 2,000 infections, ahead of Germany on 1,203, and Hungary on 561. Other countries reporting in the hundreds include France, Russia, Australia, Italy and Taiwan.
This volume of infections isn't large by comparison with other types of malware but ransomware doesn't set out to hit large number of people at any one time. The modus operandi is to attack smaller numbers using below-the-radar campaigns, extracting relatively large amounts from each victim.
The extent of ransomware's success can only be gauged by the growing volume of attacks, which implies a worthwhile success rate.
Ransomware is really the ultimate form of social engineering malware in that people are invited to agree to defraud themselves. The trick is to get people to believe there is no alternative to agreeing to their malware's terms.
After existing at very low levels for years, ransom attacks suddenly started to spike in mid-2010, examples of which include an attack in which Windows users were accused of running a counterfeit version of the OS and asked for a $143 (£91) payment.
Trend itself reported on a worm that used the more common tactic of locking the PCs of victims (the exact method varies in severity from example to example but is often relatively trivial), demanding a small payment to have control returned.
Closer to home, a ransom Trojan affecting UK users impersonated the Metropolitan Police in order to persuade users that porn had been detected on their computers, requiring a payment to be made. Versions of this scam have appeared in almost every European country.
Trend comes up with two explanations for the form's growing popularity among criminals, the biggest of which is the recent disruption of the industry behind fake antivirus scams. This has sent developers to new types of attack that can make use of payment channels less dependant on credit cards, which create an evidence trail.
"Ukash and Paysafecard are widely used online payment methods that do not require personal details. Such level of anonymity has naturally earned the attention of cybercriminals and, as we can see, is now being abused for the ransomware business," said Trend threat engineer, Roland Dela Paz.