Data for Ransom – Petty Theft or Organized Crime ?

Ransomware has been recently associated with attacks on enterprise networks. For the expertise required to first penetrate well-guarded corporations; and for the risk that there must always be at some point, contact between the malware author and the victim to facilitate the transaction, perhaps it is understandable that cyber extortionists would rather do it once, but do it well.

In July 2006, a series of the Ransom-A trojan infections widely reported in mainstream Chinese media led to the arrest and prosecution of an engineer in Guangzhou, China, allegedly responsible for writing and distributing the trojan. The modus operandi was simple – run a website hosting free software, which turns out to be a trojan that hides the victim’s document files. What follows is the request for a fee to recover the “lost” data. According to a press release by Ministry of Public Security of China, the 34 year-old was financially in trouble and profited in total US$500 from extortion through “the first reported ransomware in China”.

More recently, McAfee Avert Labs followed the developments of Ransom-C, reportedly spammed widely as an e-mail attachment. A Chinese article published by Beijing CERT on Christmas Day covered, in some detail, e-mail communication between one of the victims and the malware author. Unlike the former, the Ransom-C author apparently has put in slightly more effort with its “customer service”. The e-mail communication starts off with a decent description of the file system and data recovery process, then offers the victim an “Enterprise” option for full recovery or a cheaper “Family” edition for partial recovery. Sounds like your helpful and knowledgeable sales or support representative! Only in spite of the “kind” offer, most data are gone for good as the trojan did not hide them, but had deleted them. They aren’t really interested in giving a resolution.

Our investigations had led to the discovery of a more sophisticated criminal operation associated with this threat. Numerous legitimate websites, possibly hacked, were found hosting and installing the ransomware onto users surfing upon it with an exploit targeting vulnerable versions of Internet Explorer. To make it robust, legitimate hyperlinks have also been spoofed to point to a download link for the trojan. Most of these websites were hosting financial news, medical information, personal webpages, and such – well, you’ve got the idea, they are targeting the masses at where you least expected; and clearly in a very organized manner.

China has a relatively new, but one of the fastest growing, Internet population in the world. Between high risk targeted attacks on corporations and profiting from a massive pool of unsuspecting Internet users, it’s not a tough choice for the virtual gold miners. It will get interesting when we start seeing these organized folks get busted.