"Ransomware" has been customised to scare Australians.
If your computer appears to be taken hostage by local police who demand the payment of a fine to grant you access to your data, would you pay the fee, yank the power cord or recognise a scam and figure out how to neutralise it?
Malicious software that demands payment for the return of access to personal or financial data, known as “ransomware”, has been around in various forms for over a decade, but this year police-themed ransomware has emerged as the scam du jour for online con artists and there is evidence they are ramping up activity in Australia significantly.
The simple con exploits victims' lack of knowledge about online surveillance, enforcement and the law. Victims are told police have detected crimes ranging from copyright infringement to viewing child abuse material and are generally asked to pay a fine of about $100 in the local currency within 72 hours via prepaid services such as UKash, a UK-based voucher payments service.
Ransomware ... another screengrab of what it looks like.
Have you been affected by police-themed ransomware? Email us
The first police-themed ransomware arrived in October in Australia, shortly before the Australian Federal Police (AFP) warned that cybercriminals were using its logo in a scam to trick victims into paying a fraudulent $100 fine for “illegal” online activity.
A spokesperson for the Australian Competition and Consumer Commission (ACCC), which operates consumer alert service Scamwatch, told Fairfax that it had received 100 complaints of police ransomware since the Australian-targeted scam first emerged.
Ransomware ... another screengrab.
The number of complaints however is likely to rise significantly in coming months.
According to one malware researcher who goes by the online name Kafeine and has been tracking police ransomware across the world, the number of Australians presented with a fake AFP fine spiked dramatically at the end of October.
Since early October Australian numbers in the operation he’s been tracking have remained below 10 on any given day. But on October 28 that figure jumped over 1600 per cent to 160 and on October 29 it tripled again to 403.
A screengrab of software used by "Kafeine" o keep track of the ransomware.
The ransomware is most likely installed after the victim visited a website rigged with a crime toolkit that looks for weaknesses in popular software, such as the browser, or a media player like Adobe Flash or a PDF viewer.
While the same malware is used to target victims from different countries, it is configured to present a message that bears the name and logo of a local law enforcement authority in order to increase the chances of payment.
Kafeine’s figures are drawn from one operation he has gained access to, offering insight the number of PCs the ransomware is installed on in each country and the number of times the message has been presented to victims.
The two main ransomware scams targeting Australians are Reveton and Urausy, which both purport to be the AFP and can be viewed on Kafeine's “gallery” of the localised presentation pages for the malware.
The majority of would-be victims recognise the scam for what it is, but figures from Britain show that criminals are netting around 3 per cent of victims there.
London's Metropolitan Police revealed in August that of 1100 ransomware reports it received, 36 had paid the fake fine of £100 ($155).
The surge in Australians slugged with ransomware messages are still fewer than in the UK, Turkey, and Spain, but larger than other parts of Europe that have been targeted by ransomware gangs for much longer than Australia.
So what should Australians do if they are presented with an online fine purportedly from the AFP?
“The most important thing is not to pay the cybercriminals,” said Sergey Golovanov, a malware expert at the Russian security company Kaspersky Lab.
“Go to another computer and start searching for a solution, which you will always be able to find on the internet. All anti-virus companies post free instructions and utilities to help users unblock their computers.”
Some threats can be resolved by cleaning up a malware infection. However, there are more brutal ransomware attacks that use cryptographic locks to prevent victims from accessing their data.
One Northern Territory-based small business, TDC Refrigeration and Electrical, was recently hit by attackers who encrypted the company's financial system data and threatened to destroy it unless the business forked out $3000. The business did and lived to tell the tale. However, had it backed up its data it might not have had to pay for it.
“When you are hit by a well-done encrypting ransomware, if you have no backup, there is nothing you can do except paying or losing your data,” Kafeine said.
Other security professionals agree. “Automatic online backup is a must,” said Michael McKinnon, a security adviser for AVG Australia. “There are many choices of backup software that can securely copy important files to the 'cloud', ensuring that if disaster strikes – such as ransomware that may encrypt or even delete some of your files – you'll be protected.”
Liam Tung has covered enterprise and consumer technology and security since 2007 for some of the world's leading technology news websites, including CBS Interactive's ZDNet and CNet, IDG's CSO Magazine and has had several of his stories syndicated to the New York Times.