Online criminals are always seeking out tactics that would help monetize their activities. Potential victims repeatedly fall for the traps that cybercriminals set up such as when they end up downloading malware instead of freeware or pornographic materials. Oftentimes, the realization that their machine is being held ransom comes too late.
One method often used involves disabling the functionality of the compromised computer until the victim dials a premium-rate SMS number. One such cybercriminal operation involves a recent SMS ransomware campaign that has been targeting Internet users in Russia and demanding a 360-RUR (about US$12) ransom. Affected systems would consistently display the image below and prevent users from accessing their desktops and applications until they provide the required ransom.
In this particular example, users downloaded a file detected by Trend Micro as WORM_RIXOBOT.A. The file was downloaded from a single website over 137,000 times in December 2010 alone, mostly by users from Russia. In this case, the worm was downloaded from a pornographic website. However, it may have also been propagated through other means.
Cybercrime is a serious matter for cybercriminals who run these campaigns much like ordinary businesses and keep financial records for their own reference. In our research, we were able to access a panel that was used to keep track of the specific income generated by at least 60 phone numbers used in ransomware campaigns. The list contains 60 phone numbers displayed by the ransomware and used to receive funds from victims.
Based on our findings, this campaign was able to generate 901,245 RUR (US$29,435) over the last five weeks. With a payment of approximately US$12 per transaction, this indicates that 2,500 people paid the ransom. Users are thus advised to be more wary about their online activities. As this particular ransomware campaign proves, cybercrime is a serious business that comes at a price.
Update as of January 16, 2011, 10:09 a.m. (UTC)
WORM_RIXOBOT.A has been renamed to TROJ_RANSOM.QOWA.
Share this article