Jan. 29, 2010 at 9:00 AM ET
Turning hijacked computers into cash is still hard work for most computer criminals. They've got to trick the infected PC into sending spam, then trick a recipient into buying a useless product -- or they have to steal online banking passwords, log onto a victim's account, bypass the bank's money transfer fraud controls, and so on.
It's much easier to just demand cash directly from infected users -- a crime that's the Internet's equivalent of kidnapping.
"Give me all your money or your computer gets it-" is the basic proposition.
The technique was dubbed "ransomware" many years ago by computer virus researchers, and is not new. What is new is the explosion of ransomware, thanks to the evolution of ever-more-believable tactics during recent months.
In December, the FBI issued a warning about a broader category of malicious programs called "rogueware." These programs appear on users' machines and claim to find viruses, then offer to clean them for $50. Rogueware looks so realistic -- complete with Windows-like dialog boxes and scary warnings -- that Web users were tricked into sending $150 million to criminals last year, the FBI says.
The new ransomware is similar, but far more aggressive. Once a computer is infected with it, the program does more than recommend a software purchase –it simply won't let users continue to use their PC until they pay up.
Luis Corrons Granel, a researcher at Panda Security, said use of ransomware by criminals is exploding -- 25 percent of all rogueware in the past quarter involved a family of intimidating products named "TotalAntivirus." It demands that users pay $50 for two years, $79 for a lifetime license.
"The increase (in ransomware) has been really significant," Granel said. A single family of ransomware programs called "Total Security" made up one-quarter of all rogueware programs detected during the past three months, he said.
To an average user, most rogueware would be indistinguishable from other standard antivirus products. They look like fully functional software, showing Windows-like screens for firewall settings, file scanning, and every other tab you'd expect from standard antivirus products. "Total Security" even lets users choose their language -- English, Spanish, and German are offered.
The switch to ransomware by the bad guys makes sense, says Peter Cassidy, spokesman for the Anti-Phishing Working Group -- because computer criminals are refining their programming methods, and getting more aggressive about taking people's money.
"Instead of trying to fool people and getting one out of 1,000 to pay, what they're doing now is just locking up the PC and telling them they have to pay," he said. "It's a really violent approach, really nasty."
There might be one silver lining to the rise of ransomware, Cassidy said.
"It's not in that gray area of selling people useless crap," he said. "It's clearly criminal, and extortion does get the attention of law enforcement officials."
As is customary, computer criminals are fusing this new attack with successful, older methods, said John Harrison, a security researcher at Symantec Corp. In one recent example, criminals first engaged in search engine "poisoning," so their booby-trapped Web sites would rate high in Google searches about Haiti's earthquake. Visitors who clicked were tricked into downloading the ransomware software; and then were confronted with extortion demands.
"That's their distribution model," Harrison said -. "They used to do it subtly, but now they are doing it much more brazenly."
In some versions, users will see a message that says, "Google recommends you install this," or "Microsoft recommends you turn this feature on- … then, they take over your computer and all of a sudden it looks like you have 900 viruses," he said.
The latest flavor of ransomware, described on Jan. 8 by security firm F-Secure, doesn't disable all software, but it does something just as debilitating -- it encrypts all the files on a victim's computer, and forces them to pay for decryption. The program, which calls itself Data Doctor 2010, costs $89.
RED TAPE WRESTLING TIPS
In some cases, researchers say, paying the ransom does work, at least initially. Still, it's a terrible idea to pay. On a grand scale, you've just subsidized a criminal. But there are far more practical concerns -- why would you trust the author of ransomware with your credit card number? Perhaps you think you'd never do this, but remember, the FBI says rogueware writers have made $150 million, so someone is paying up.
If an unexpected antivirus dialog box lands on your computer screen, close the window immediately by clicking on the 'x' in the upper-right hand corner. Don't use the "OK/Cancel" buttons in the window -- criminals often reprogram these.
You may or may not be infected anyway -- it's possible you are already the victim of a "drive-by download" that doesn't require user interaction. So run an antivirus scan, if you can.
If the rogue software has actually taken over your computer, physically disconnect it from the Internet to avoid having your personal information sent back to the criminal. Then go to a different computer to search for solutions. Type in the name of the rogue software and search for information on well-known antivirus Web sites. Many antivirus firms offer free cleaners you can download or place onto a USB memory stick, and run on your infected computer.
But maintain healthy suspicion at all times. Ransomware authors have gone so far as to create fake software reviews about their products and place them around the Internet, even stealing logos from reputable technology publications, says Harrison.
"The idea is you search for information about the program and this turns up, and you figure it's ok so you install it," he said. "Some of this is soft sell, some is very hard sell."
As always, it's never a good idea to follow links in e-mails when heading to Web sites – it takes an extra moment, but always click into your browser's address bar and manually type the address.