Ransomware Fuels More Online Extortion Attempts

November 14, 2012

Cybercriminals are extorting money from victims by infecting their computers with "ransomware," a type of malware that renders the devices unusable. The most recent wave of hacker attacks, called "police ransomware," sends messages that appear to be from a law enforcement agency to victims accusing them of visiting illegal websites and locks their computers. To have the computer restored, a victim must pay the cybercriminals to unlock the device. Although many victims make the payment, many times their systems are not restored — and ransomware often leaves other malware on the victim's computer.

In recent attacks, cybercriminals have taken blackmail to even greater lengths — holding data stolen from victims' computers or databases hostage. Here are four examples targeting businesses and high-profile individuals:

  • The Rex Mundi team made several unsuccessful attempts against Elantis, AGO Interim, and AmeriCash Advance. In August 2012, they threatened CreditPret, a French financial company. The team requested an extortion fee of €20,000 in exchange for not disclosing data obtained from compromised servers. When it appeared CreditPret was not going to make the payment, they reduced the amount. The Rex Mundi team disclosed the data when CreditPret still refused to pay.
  • In September 2012, an unknown attacker claimed to have penetrated PricewaterhouseCoopers' network and stolen U.S. presidential candidate Mitt Romney's tax returns for multiple years. The attackers demanded that PricewaterhouseCoopers pay $1 million converted into "Bitcoins" (an Internet currency that is hard to trace) — otherwise Romney's tax returns would be sent to all major news outlets.
  • In September 2012, the Rex Mundi team had another extortion scheme — it claimed to have stolen Webassur customer data and to have information stolen from the databases of 300 websites that Webassur designed. When Webassur appeared to be unwilling to pay the ransom, they renewed their request for €5,000.
  • In September 2012, TDC Refrigeration, an Australian company, paid $3,000 to cybercriminals to restore its business files after its computer systems were attacked.

In the CreditPret, PricewaterhouseCoopers, and Webassur cases, personal customer data was posted on the Internet because the victims did not meet the blackmailers' demands. Many victims of this type of attack have been unwilling to make ransom payments because there is no guarantee of definitively retrieving the data without the risk of recurring blackmail. This was the case for TDC Refrigeration — despite making the payment, the company's computer systems were not restored. This is one of many reasons authorities warn victims not to respond to blackmail threats.