The hunt is on to find these gangs. Researchers at Symantec said they had identified 16 ransomware gangs. They tracked one gang that tried to infect more than 500,000 PCs during an 18-day period.
Even if researchers can track their Internet addresses, catching and convicting those responsible can be difficult. It requires cooperation among global law enforcement, and such criminals are skilled at destroying evidence.
Charlie Hurel, an independent security researcher based in France, was able to hack into one group’s computers to discover just how gullible their victims could be. On one day last month, the criminals’ accounting showed that they were able to infect 18,941 computers, 93 percent of all attempts.
Of those who received a ransom message that day, 15 percent paid. In most cases, Hurel said, hackers demanded 100 euros (US$129), making their haul for one day’s work more than US$400,000.
That is significantly more than hackers were making from fake anti-virus schemes a few years ago, when so-called “scareware” was at its peak and criminals could make as much as US$158,000 in one week.
Scareware dropped significantly last year after a global clampdown by law enforcement and private security researchers. Internecine war between scareware gangs caused its final demise. As Russian criminal networks started fighting for a smaller share of profits, they tried to take each other out with denial of service attacks.
Now, security researchers are finding that some of the same criminals who closed down scareware operations as recently as a year ago are back deploying ransomware.
“Things went quiet,” Eric Chien, a researcher at Symantec who has been tracking ransomware scams, said. “Now we are seeing a sudden build-up of ransomware using similar methods.”
Victims become infected in many ways. In most cases, people visit compromised Web sites that download the program to their machines without so much as a click.
Criminals have a penchant for infecting pornography sites because it makes their law enforcement threats more credible; embarrassing people who look at pornography makes them more likely to pay. Symantec’s researchers say there is also evidence that they are paying advertisers on sex-based sites to feature malicious links that download ransomware onto victims’ machines.
“As opposed to fooling you, criminals are now bullying users into paying them by pretending the cops are banging down their doors,” said Kevin Haley, Symantec’s director of security response.
More recently, researchers at Sophos, a British computer security company, found that thousands of people were getting ransomware through sites hosted by GoDaddy, the popular Web services company that manages 50 million domain names and hosts about 5 million Web sites on its servers.
Sophos said hackers were breaking into GoDaddy users’ accounts with stolen passwords and setting up what is known as a subdomain. For example, instead of www.nameofsite.com, hackers would set up the Web address nameofsite.blog.com, then send e-mails to customers with the link to the subdomain which — because it appeared to come from a trusted source— was more likely to lure clicks.
Scott Gerlach, GoDaddy’s director of information security operations, said it appeared the accounts had been compromised because account owners independently clicked on a malicious link or were compromised by a computer virus that stole password credentials. He advised users to enable GoDaddy’s two-step authentication option, which sends a second password to users’ smartphones every time they try to log in, preventing criminals from accessing their account with one stolen password and alerting users when they try.