SMS Ransomware Tricks Russian Users

SMS Ransomware Tricks Russian Users

พบมัลแวร์ที่กำลังแพน่กระจายในรัสเซียซึ่งเป็น Ransomeware ที่ชื่อว่า WORM_RIXOBOT.A โดยอาจติดได้จากการดาวน์โหลด Freeware หรือเข้าไปยังเว็ปไซต์สำหรับผู้ใหญ่บางเว็ป ส่งผลให้ worm ตัวนี้เข้าไปทำการปิดการทำงานบางอย่างบนเครื่องของเหยื่อและในกรณีนี้เองเป็นการล็อคหน้า Desktop และทำให้เหยื่อไม่สมารถเข้าถึง Application ใดๆได้ โดยบน Desktop จะพบข้อความโดยระบุให้เหยื่อต้องทำการสมัครบริการ SMS ราคาแพงจึงจะได้รับรหัสเพื่อทำการแก้ไขปัญหาดังกล่าวเป็นเงินประมาณ 360 RUR ( 12 USD หรือ 367 บาท )

Online criminals are always seeking out tactics that would help monetize their activities. Potential victims repeatedly fall for the traps that cybercriminals set up such as when they end up downloading malware instead of freeware or pornographic materials. Oftentimes, the realization that their machine is being held ransom comes too late.

One method often used involves disabling the functionality of the compromised computer until the victim dials a premium-rate SMS number. One such cybercriminal operation involves a recent SMS ransomware campaign that has been targeting Internet users in Russia and demanding a 360-RUR (about US$12) ransom. Affected systems would consistently display the image below and prevent users from accessing their desktops and applications until they provide the required ransom.

In this particular example, users downloaded a file detected by Trend Micro as WORM_RIXOBOT.A . The file was downloaded from a single website over 137,000 times in December 2010 alone, mostly by users from Russia . In this case, the worm was downloaded from a pornographic website . However, it may have also been propagated through other means.

Cybercrime is a serious matter for cybercriminals who run these campaigns much like ordinary businesses and keep financial records for their own reference. In our research, we were able to access a panel that was used to keep track of the specific income generated by at least 60 phone numbers used in ransomware campaigns. The list contains 60 phone numbers displayed by the ransomware and used to receive funds from victims.

Based on our findings, this campaign was able to generate 901,245 RUR (US$29,435) over the last five weeks. With a payment of approximately US$12 per transaction, this indicates that 2,500 people paid the ransom. Users are thus advised to be more wary about their online activities. As this particular ransomware campaign proves, cybercrime is a serious business that comes at a price.

WORM_RIXOBOT.A has been renamed to TROJ_RANSOM.QOWA.

ที่มา : trendmicro

Add a Comment

Your email address will not be published. Required fields are marked *