Ransomware crooks make millions from porn-shaming scams

Ransomware crooks make millions from porn-shaming scams

'It really puts the screws to you,' says Symantec director of spike in PC extortion racket

Ransomware is a growth industry that puts at least $5 million annually into criminals' coffers, Symantec said Thursday.

"If you look at the nature of the beast, it really puts the screws to you," said Kevin Haley, director of Symantec's security response team, in an interview yesterday. "We see so many gangs moving to ransomware, looking for new angles, new versions [of the malware], that we're going to see a lot of this in the future."

"Ransomware" is a long-standing label for malware that once on a personal computer cripples the machine or encrypts its files, then displays a message -- the ransom note -- that demands payment to restore control to the owner.

"It's an extortion racket," Symantec said in a white paper on the topic published Thursday.

The criminal strategy has been in play for at least a half-dozen years, but until relatively recently, was rare, ineffective and focused on Eastern European victims.

That's changed, said Haley, who ticked off a whole host of improvements to the scam, ranging from a more reliable payment mechanism and stronger encryption to completely locking up the PC and thwarting repairs by shaming the victim with on-screen pornography.

They've also expanded their hunting territory. "It began in 2011, when they started to move out of Eastern Europe, to Germany and the U.K., then began to move westward to the U.S," said Haley. From the first to the third quarters of 2012, for example, Symantec tracked a significant uptick in ransomware infections in the U.S.

Today's ransomware displays a message claiming that because the user browsed to illegal pornographic websites, the computer had been locked and a fine must be paid to regain control. The "fines" range between 50 and 100 in Europe, and are usually around $200 in the U.S.

The porn angle is ingenious, said Haley.

"The screen and keyboard are locked up," Haley said of the malware's impact. "All you can use is the number keypad to enter a PIN [to pay the criminals]. You're completely shut out of the computer. And few people will want to take their computer to someone for repair, because the screen says that you violated the law, and that you've been looking at pornography. And there's a pornographic image on the screen."

Symantec was able to estimate what criminals earn from ransomware after uncovering a command-and-control (C&C) server used by one family of the malware.

In a month-long stretch last summer, the server logged approximately 68,000 unique IP addresses representing infected PCs. During one 24-hour span, the server was pinged by 5,700 infected machines, 168 of which showed signs of having paid the ransom, a rate of about 3%.

The ransom note demanded $200 from each victim, putting $33,600 in the criminals' pockets. Extrapolating the 68,000 infections over the course of a month put the total at nearly $400,000.

Those amounts are maximums, said Symantec, since the criminals will lose some as they launder the money from the pre-paid cash cards that they tell victims to use to make ransom payments.

"Given the number of different gangs operating ransomware scams, a conservative estimate is that over $5 million a year is being extorted from victims," said Symantec's published report. "The real number is, however, likely much higher."

The criminal groups active in ransomware come from various backgrounds, said Haley. Some had been dealing scams that relied on fake antivirus software -- often called "scareware" -- that Haley said had largely "petered out." Others had been spreading Trojan horses that hijacked bank account credentials. And some were simply opportunists.

"It's an evolution, just like in any business," said Haley. "Someone tries something new, then others build on that. Others see an innovation and they just jump on it, too."

With more criminals migrating to ransomware -- and because the scam is profitable -- Haley expects that the problem will grow, and quickly. "It's predominantly porn now, but they'll shift away from that model and find others," Haley predicted. "Ransomware isn't new, but what's happened is that they've found a way to make money."

Because the ransomware infects PCs using advertisements on compromised adult websites, Symantec recommended that users refrain from clicking on such ads, and to keep Windows, Java, Flash, Adobe Reader and Windows updated with the most recent patches.

The Symantec report on ransomware can be found on its website ( download PDF).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsymantecsecurityMalware and Vulnerabilities



 IN PICTURES: VeeamON Tour in Sydney and Melbourne (+ 17 photos)

IN PICTURES: VeeamON Tour in Sydney and Melbourne (+ 17 photos)

The VeeamON tour showcased company's upcoming release of the Veeam Availability Suite v9. Veeam product strategist, Rick Vanover led the discussions in Sydney and Melbourne about the upcoming v9 and other Veeam innovations for the new year.​ VeeamON was held on September 23 at the Museum of Sydney, Warrane Theatre, and at Melbourne Museum in Melbourne on September 24.

IN PICTURES: VeeamON Tour in Sydney and Melbourne (+ 17 photos)
 IN PICTURES: Greentree A/NZ Partners Explore Japan (+ 13 PHOTOS)

IN PICTURES: Greentree A/NZ Partners Explore Japan (+ 13 PHOTOS)

As part of a regular strategic planning program for select Greentree A/NZ partners, they enjoyed a week in Japan combining strategic planning sessions with sightseeing. Principals and their partners from Star Business Solutions, Endeavour Solutions, Addax Business Solutions, GT Business Solutions, bizlinkIT and Verde Group joined Greentree chief executive, Peter Dickinson, channel director, Graham Hill, and R&D director, Stephen Sims in Tokyo and took in Hiroshima, Kyoto and Hakone, including travel on the famed bullet train which hit a top speed of 296 KPH.

IN PICTURES: Greentree A/NZ Partners Explore Japan (+ 13 PHOTOS) is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments