Featured Article

Ransomware spreads from Europe to U.S. and beyond

Please sign in to save this to your favorites.
Written by: Robert E. Holtfreter, Ph.D., CFE Tiffany McLeod
Date: July 1, 2013
read time: 13 mins
Fraud Investigation and Examination Fraud Schemes Technology
Ransomware hijacks computers and files and demands cash when end-users visit compromised websites or download a malicious attachment. Here’s how to combat this nefarious malware that’s traveling from Europe to the U.S. and around the world.

One evening, Suzie Duke logged onto her home computer to work on a project for an important business meeting the next day. When she went to a website to search for information, her computer locked up and a message appeared on the screen, purportedly from the FBI, stating she was in violation of federal law and that she would have to pay a fine of $300 with a MoneyPak card and, in return, would receive an unlock code to restore access to her computer. The website she accessed was compromised with a virus, which she activated when she visited it.

Suzie called a work friend in the IT department, but he couldn’t offer a quick fix. So she panicked and purchased the MoneyPak card. Even though she couldn’t access other programs, she, of course, was able to click on the MoneyPak icon on the ransomware screen to insert the payment code, which was transferred to the fraudster who collected the money. However, the fraudster didn’t send her an unlock code so her computer remained locked, and she couldn’t access her programs. She contacted a computer technician who removed the ransomware.

Suzie was the victim of a fast-growing and highly lucrative scam. The fraudsters, in effect, kidnapped her computer, held her programs hostage and demanded a ransom to unlock her computer.

We recently learned of this actual case (we’ve changed the victim’s name), which is representative of others’ tales. The burgeoning ransomware scam on Windows-based computers has emptied the wallets and purses of scores of victims in 2012, especially in Eastern European countries. This year, the fraud is moving into other countries, including the U.S.

THE 'WARES': RANSOM AND SCARE

Ransomware is closely related to the “scareware” fraud that we reported on in two Fraud Magazine articles in 2011 ("Scareware Fraud: All Trick and No Treat? Part One" and "Scareware Fraud, Part Two"). In both ransomware and scareware schemes, fraudsters follow the same script by using extortion tactics to panic victims and trick them into unloading their cash and personally identifiable information (PII).

Traditionally, scareware fraudsters will confront users with notices claiming that their computers are infected with dangerous viruses. The notice will direct the victim to download a “free” program to remove the virus, which then “finds” the supposed virus and promises to remove it and protect the computer from future viruses for a small fee — generally $40 to $50. The user pays, and the notices disappear, but the program surreptitiously collects PII such as passwords, credit card numbers and bank records. Instant identity theft!

Ransomware follows the traditional pattern of scareware but with more vigor. The user isn’t asked to download a program. Instead, depending upon the form of ransomware, the program automatically downloads and installs when a user visits an infected website or opens a malicious attachment in an email message. Some ransomware programs don’t even bother with scare tactics; they simply lock or encrypt computer files and demand a ransom to restore access. 

Traditional scareware threatens damage, but some forms of ransomware actually carry out the threats by deleting files even if the victim does pay up. And, as with traditional scareware, ransomware also collects and transmits PII from the moment of installation.

TWO FORMS OF RANSOMWARE 

According to Microsoft’s Malware Protection Center, ransomware comes in two forms: lockscreen and encryption.

Lockscreen ransomware (also known as winlocker ransomware) is the predominate form of the scam. This type displays a full-screen image or web page that prevents the user from accessing anything in the affected computer. To increase the user’s panic level, fraudsters use social engineering techniques such as displaying “images and logos of legal institutions to give their scam an air of legitimacy,” according to Microsoft’s Malware Protection Center. (See Screen shot No. 1 below.)

[Figure 1 is no longer available. — Ed.]    

Encryption ransomware, a less common form, uses a direct ransom demand approach instead of social engineering. After the fraudsters hook a victim, their ransomware, according to Microsoft’s Malware Protection Center, “encrypts your files [with complex algorithms] with a password, preventing you from opening them.” The fraudsters then demand payment in exchange for a password to access the encrypted files. (See Screen shot No. 2 below.)

[Figure 2 is no longer available. — Ed.]

In our first article on scareware, "Scareware Fraud: All Trick and No Treat? Part One," we wrote that ransomware uses fear to extort money from victims. Instead of pretending to be security software, these programs might accuse the user of not just committing a crime but threaten to remove a user’s access to a program or file if a fee isn’t paid.

For example, one ransomware program targets those who use “bittorrent,” or peer-to-peer programs. Once the program infects the computer, it pretends to scan for copyright violations and then displays a professional-looking pop-up screen, informing the victim that stolen material was found on the computer. The victim is given the choice of challenging the finding in court or of settling the matter instantly by paying a $400 fine. If the victim refuses to pay up, the program continues to pop up every time the computer is restarted; it then locks the victim’s desktop until he or she gives in and pays the alleged fine. 


TIMELINE, GEOGRAPHICAL LANDSCAPE AND FINANCIAL IMPACT

Eastern European gangs began to seriously use ransomware in 2009 because the payoffs were better than traditional scareware: $100 to $400 per pop compared with less than $100. Until then, fraudsters were claiming millions of victims with traditional scareware. Many gangs began to foist ransomware exclusively.

According to Nicole Perlroth in her Dec. 5, 2012, article, “For PC Virus Victims, Pay or Else” in The New York Times, “Security experts say that there are now more than 16 gangs of sophisticated criminals extorting millions from victims across Europe.” 

Perlroth reported that Charlie Hurel, an independent security researcher in France, cracked into the computers of one gang and determined that the fraudsters had infected 18,941 computers and collected $400,000 in one day from the 15 percent of users who paid the ransom. “That is significantly more than hackers were making from antivirus schemes a few years ago, when so-called ‘scareware’ was at its peak and criminals could make as much as $158,000 in one week,” Perloth wrote.

Symantec, which tracks ransomware schemes and the gangs who run them, concurs, reporting that “as many as 2.9 percent of compromised users” pay the ransom, resulting in a conservative estimate “that $5 million dollars [sic] a year is being exhorted from victims.” (See the O’Gorman and McDonald Symantec report.)

The Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center, reported a lockscreen variety of ransomware called Reveton, in a Nov. 30, 2012, Intelligence Note. Reveton has been lucrative for fraudsters throughout the world, especially in European countries, where they’re still using it.

However, there’s some good news. The Radio Free Europe Radio Liberty website reported that Spanish authorities and Europol broke up a “gang of Russians, Ukrainians, and Georgians who allegedly collected millions of euros” promoting ransomware. (See “Cybercrime: ‘Ransomware’ Gang Arrested,” February 18, based on reporting from AP, Reuters and AFP.)

The 27-year-old Russian who led the gang and developed the virus was detained in the United Arab Emirates. At least six other suspected gang members were arrested in Spain. The article reported that “officials said hundreds of thousands of people, mostly in 30 European nations, were believed to have been affected by the operations of the gang.”

RANSOMWARE DELIVERY METHODS

Fraudsters use two main methods to deliver ransomware: “Reveton” and via an email containing a malicious attachment. Reveton normally uses an “exploit kit” known as BlackHole, according to Brian Krebs, author of the krebsonsecurity.com blog. An exploit kit is a tool that’s “stitched into hacked or malicious web sites [along with the ransomware malware], so that all visiting browsers are checked for [vulnerabilities such as] a variety of insecure, outdated plugins [software], from Flash Java to Adobe Reader.” (See “Inside a ‘Reveton’ Ransomware Operation,” by Brian Krebs, Aug. 12, 2012.) When the kit finds security holes in the computer’s software, the browser is “handed a Trojan downloader that fetches Reveton and most likely a copy of the password-stealing Citadel/ZeuS Trojan,” Krebs writes.

The Citadel/ZeuS Trojan, the most common type of financial malware, continues to operate on the compromised computer collecting data used to commit online banking and credit card fraud. Thanks to the BlackHole exploit kit, the end user’s computer is infected — in a drive-by-download fashion — with the malware without any interaction from the user.

Ransomware may also be delivered via an email containing a malicious attachment. Again, the email will have the appearance of a message coming from a real source. When a victim opens an attachment, the ransomware invades the system and downloads the image of the locked screen.

According to Perlroth in The New York Times article, fraudsters are very clever about where they plant their malware; they commonly use porn sites because victims will be more inclined to pay the “fine” to avoid possible embarrassment. “Symantec’s researchers say there is also evidence that they [fraudsters] are paying advertisers on sex-based sites to feature malicious links that download ransomware onto victims’ machines,” Perloth wrote.

Although porn sites are a common breeding ground for malware of all types, fraudsters often infect respected, reputable sites.

TYPICAL WARNING SCREENS 

Although all ransomware screens have the same goal of tricking users, the wording of each can vary. For example, the IC3 reported in its Nov. 30, 2012, Intelligence Note that the ransomware warning screens that might appear on a viewer’s computer include messages with U.S. government agency logos and seals to help temper doubt of the message’s authenticity and to heighten the potential victim’s fear of prosecution. The IC3 explained a lockscreen version in a May 30, 2012, Intelligence Note:

The [Reveton] ransomware lures the victim to a drive-by download website, at which time the ransomware is installed on the user’s computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law. The message further declares the user’s IP address was identified by the Computer Crime & Intellectual Property Section as visiting child pornography and other illegal content. To unlock their computer the user is instructed to pay a $100 fine to the US Department of Justice, using prepaid money card services. The geographic location of the user’s IP address determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud.  

In this version of the scam, a banner at the top of the screen contains the words, “Computer Crime & Intellectual Property Section United States Department of Justice” next to an official seal of the agency. In the background is an American flag, a gavel and a keyboard. A similar version of a lockscreen form of ransomware allegedly from the Department of Justice is shown in Screen shot No. 3 below.

[Figure 3 is no longer available. — Ed.]

In an Aug. 9, 2012, updated alert, the IC3 reported a second version of a lockscreen ransomware warning screen, purportedly this time from the FBI, that included the agency’s seal and this accompanying message, in part:


“Your PC is blocked due to at least one of the reasons specified below.

You have been violating Copyright and related Rights Laws (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article I, Section 8, Clause 8, also known as the Copyright of the Criminal code of the United States of America.

Article I, Section 8, Clause 8 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty for two to eight years.

You have been viewing or distributing prohibited pornographic content (Child Porno/Zoofilia and etc). The violating article 202 of the Criminal Code of United States of America, Article 202 of the Criminal Code provides for a deprivation of liberty for four to twelve years.

Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected with malware, thus you are violating the law On Neglectful Use of Personal Computer, Article 210 of the Criminal Code provides for a fine of up to $100,000 and/or a deprivation of liberty for four to nine years.

Fines may only be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case initiated against you automatically within the next 72 hours.”

The screen contains a link to click on for instructions on how to pay the “fine” through MoneyPak and unlock the computer. In other iterations, the scammers recommend other online payment voucher services such as Ukash and Paysafeguard. These payment methods help fraudsters avoid any credit card problems and expedite money transfers. (See a similar screen, Screen shot No. 4 below.)

[Figure 4 is no longer available. — Ed.]

The IC3 reported in a Nov. 30, 2012, Intelligence Note a third version of a lockscreen ransomware warning screen purportedly from the Internet Crime Complaint Center with the alarming headline, “Threat of Prosecution Reminder.” The message claims that the user’s computer activity is “being recorded using audio, video, and other devices.” The IC3 warned that victims’ infected computers could possibly be used to commit bank fraud, and they should contact local computer experts to remove the malware.


According to the March 9, 2012, article “Finns Targeted by Localized Ransomware” on F-Secure.com, European victims usually see a warning screen from a local law enforcement agency. The warning screens are localized to German, the U.K., Spain and Finland, the article claims. “In all countries, the social engineering method is the same,” F-Secure wrote. “Upon infection the Ransomware expands Internet Explorer to full screen (F11) and displays a message claiming to be from a local police unit claiming that the user’s computer has been used in browsing sites containing child and animal abuse.” The fraudsters also claim that the victim’s computer has been used to send email spam on terrorism topics, so the police have locked it until the user pays a fine, according to the article.

REMOVING RANSOMWARE

Removing ransomware from a computer can be complicated because creators are always improving their products. What works today, may not work tomorrow. Symantec provides an easy guide for using the Norton Bootable Recovery Tool to locate and remove ransomware and repair any damage.

Microsoft also provides two easy methods to remove ransomware in their Malware Protection Center on their website.

“It’s important for readers to understand that if you have been hit by a ransomware attack, the ransomware component is almost certainly just the most visible of the threats that reside on your system,” Krebs wrote in his Aug. 13, 2012, article “Inside a ‘Reveton’ Ransomware Operation.” 

If the Citadel/ZeuS Trojan is operating on your computer, it’s gathering your PII so fraudsters can commit online banking and credit card fraud, among others. Therefore, just unlocking or unencrypting the computer may not be enough. If you feel uncomfortable using the sources noted above, or similar ones, consult a computer service company expert to verify that your computer is secure and free of all infections.

PREVENTING RANSOMWARE

Of course, the best way to deal with a ransomware infection is to prevent it from occurring in the first place. Because ransomware can hide in reputable sites, emails or programs downloaded from the Internet, 100 percent prevention may not be possible. Here are some preventative steps:
  • Back up your files through a cloud service or onto external storage such as external hard drives or USB flash drives. But don’t store backups on the same computer as the original files. 
  • Use current firewalls, anti-virus and anti-spyware software.
  • Keep your browser, system software and other software up to date with the latest patches.
As fraud examiners, we’re trained to be skeptical. So you know that no government agency would ever send a notice via the web, shut down your computer and tell you to simply pay a fine to make all your troubles disappear (at least you do now).  

Cultivate good browsing habits, and counsel all your contacts to do the same. Don’t visit suspect sites, don’t open unknown links and only download files from reputable sites.

Finally, don’t disable the security features already built into your operating system. Yes, some of them may be annoying, but they’re in there for your protection.

FOREWARNED IS FOREARMED

Ransomware is a potent scam that has become very lucrative for cyber-criminal gangs in Europe, and they’ve recently added the U.S. and other countries as targets in their marketing strategies.

Anonymous researchers who have been tracking Reveton say that “the groups involved in spreading Reveton are constantly fine-tuning all aspects of their operations, from the scam pages to solidifying their back-end hosting infrastructure,” according to Krebs in his article, “Inside a ‘Reveton’ Ransomware Operation.” Though some ransomware fraud gangs have been caught, we still have a long way to go to eliminate this insidious crime.

You’ve been forewarned. Share this with your clients, family, friends and other contacts. If they’ve encountered ransomware fraud, counsel them to not pay the “fine.” Good luck!

Robert E. Holtfreter, Ph.D., CFE, CICA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. 

Tiffany McLeod, a former student in Robert Holtfreter’s fraud examination course, recently received bachelor’s degrees in accounting and English from Central Washington University.
 
Sidebar:

How to report ransomware fraud

If you or someone you know is exposed to ransomware, whether or not they pay the “fine,” report it to:
If someone has paid the “fine,” Microsoft recommends these contacts:
In Australia, SCAMwatch
In Canada, Canadian Anti-Fraud Centre
In France, Agence nationale de la sécurité des systèmes d’information
In Germany, Bundesamt für Sicherheit in der Informationstechnik
In Ireland, An Garda Síochána
In New Zealand, Consumer Affairs Scams
In the U.K., ActionFraud.  
In the U.S., OnGuardOnline


Read more insight and discuss this article in the ACFE's LinkedIn group.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.
Ad

Begin Your Free 30-Day Trial

Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.

Learn More Already a member? Sign In

You May Also Like