This is the second of a two-part post, and continues from "Making the most of fear and deception – rogue v ransomware (part 1)".

Ransomware’s approach is aggressive. It uses fear to motivate an affected user to pay a fee (usually not with a credit card but using another payment system – Green Dot Moneypak, Ukash, and others). It generally uses only one deceptive message and is quite specific: you receive a message, supposedly from the police or some other law-enforcement agency accusing you of committing some form of crime. Commonly, these messages accuse the receiver of crimes associated with copyright violations (for example, downloading pirated software or other digital intellectual property) and/or the possession of illicit pornographic material. And if this threat isn’t enough, it backs the message up by rendering the system unusable, presumably until the fine is paid.

In a way, the messages are reasonably savvy. Downloading pirated or illegal copies of software or other material is quite common if you believe the hype (I don’t have figures that would allow me to comment more); however, I guess it’s conceivable that many of the receivers of such messages might be more likely to believe them if they have participated in this kind of activity in the past. As regards the possession of illicit, illegal and socially-reprehensible pornography, I can’t imagine too many people reporting these false allegations to the police or taking their computers to friends, family or professionals for repair considering the risk of being misjudged a deviant.

We can tell that these nasties must have been fairly successful for their distributors because they are on the increase.

We’ve also seen an increasing number of different types of malware that use this tactic. What started as a fairly small number of families has blossomed during 2012 into an increasingly diverse group (although I will mention that this data has been affected by our increasing focus on this type of malware and our ability to identify them correctly). Reveton and Weelsof, for example, are families that have caused considerable pain to the user.

Much of the ransomware we saw in the past appeared to have originated in Eastern Europe, although the simplicity of the fear appeal in this case, the single deceptive message given teeth by technology, has led to many localized versions of these threats presented in many different languages.

So while rogues still account for a lion’s share of total malware in comparison to ransomware, rogues are trending down while ransomware is on the up:

Interestingly, some more recent rogues have started using similar tactics to ransomware. One FakeRean variant that calls itself Privacy Protection displays fake scan results that imply child pornography has been found on the affected computer.

Generally speaking, humans aren’t great at detecting deception, and they’re even worse at detecting deception when they get their information from a lean information medium, such as that used by many of the digital messages that we receive every day. Thanks to a human trait known as truth bias, we tend to believe what we’re told, unless we have clear signals that a message may be suspect. Add fear as the motivator for action and you’ve got a powerful weapon of influence for badness.

So what can you do about it? Apart from all the regular steps to protect yourself and avoid malware (keep your software up to date, use AV, and so on) the best advice I can give you is to be wary and skeptical. That is, even though it can be difficult to determine the veracity of a given message, you can recognize illegitimate attempts to persuade using fear. Even if you can’t tell whether a message is true or not, you can tell if a message is trying to make you take an action by scaring you. Legitimate security companies won’t try to scare you into using their scanners and law enforcement agencies aren’t going to pop up a message and scare you into paying a fine.

If a message tries to frighten you, think very carefully about what it’s asking you to do, and more importantly, if it’s an unreasonable request (such as sending money), don’t do it.

For more on ransomware, see Mark Russinovich's blog "Hunting down and killing ransomware", where he describes the mechanisms some ransomware use to lock the computer and the use of Sysinternals Autoruns to remediate an infected system.


Amir Fouda, Heather Goudey and Ray Roberts