The economy that runs ransomware attacks

First identified in Russia in 2005, ransomware strikes have since propagate to other countries – mainly those of the West – by using geo-location to focus on customers with fake notices apparently coming from their local police department.

“Multiple gangs produce their own variants; the social engineering is very good at getting users to pay up, and new versions are appearing all the time. Affiliate programs are also used to monetize this threat,” Trend Micro researchers explained, pointing out that the ransomware threat is similar to the rogue AV one.

Until now, most ransomware strikes could be tracked back to two categories that apparently separated targets according to country. They use individual affiliate programs, different payment techniques, and different ransomware versions.

“One of these groups uses server-side scripts to serve the appropriate images and scripts, depending on the user’s country,” the researchers told. “A second group uses a different technique. Here, the images and scripts are embedded in base64-encoded PHP code. The images and scripts are never downloaded separately, as they might be in the first case.”

Still, both choose getting compensated via untraceable Ukash and paysafecard coupons, which they quickly offer to return websites for 50 percent the cost, and the circle finishes when the transactions offer those coupons on for up to nine tenths of the unique cost.

But, as the researchers tell, new cybercriminal categories appear on the landscape at all times, and formerly well-established techniques will likely modify little by little, or be discontinued for new business models - it just remains to be seen which.