The recently published Microsoft Security Intelligence Report (SIRv15) contains a section on ransomware. Ransomware is a type of malware that is designed to render a computer or its files unusable until the computer user pays the demanded amount of money to the attacker. It often masquerades as an official-looking warning from a well-known law enforcement agency, such as the US Federal Bureau of Investigation (FBI) or the Metropolitan Police Service of London. Some examples are provided in Figure 1.

Ransomware has emerged as a relatively prevalent threat primarily in Europe. With the exception of New Zealand, all the locations where ransomware families made it onto the top ten list of threats in the second quarter of 2013 were in Europe; these locations include Austria, Belgium, Croatia, Cyprus, Czech Republic, Denmark, Finland, Germany, Ireland, Norway, Portugal, Slovakia, Slovenia, Sweden, Switzerland, and the United Kingdom.

Figure 1: Screenshots of different ransomware families, masquerading as warnings from various national and international law enforcement agencies

     
     

Ransomware typically accuses the computer user of committing a computer-related crime and demands that the user pay a fine via electronic money transfer to regain control of the computer or its files. Some recent ransomware threats are also known as “FBI Moneypak” or the “FBI virus” because their common use of law enforcement logos and requests for payment such as Green Dot MoneyPak, a brand of reloadable debit card. Like rogue security software or “scareware”, a ransomware infection and its subsequent fake warning is designed to scare the user into paying the fine, regardless of whether any crime was really committed on the infected computer.

Some ransomware families operate by displaying a lock screen and preventing access to any of the computer’s functions. Others encrypt the computer user’s files with a password and offer to provide the user with the password upon payment of the ransom. In both cases, the computer is essentially held hostage for a ransom that, the perpetrators say, will release the computer if paid. Frequently, access to the computer is not restored even upon payment.

Figure 2 illustrates the encounter rate trends for the most commonly encountered ransomware families worldwide in the time period between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13). Encounter rate is the percentage of computers running Microsoft real-time security products, such as Microsoft Security Essentials and Windows Defender (on Windows 8), that encounter malware during each quarter. This is different from the number of systems that actually get infected with malware, a measure called computers cleaned per mille (CCM).

Figure 2: Encounter rate trends for the top 6 ransomware families between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13)

Win32/Reveton was the most commonly encountered ransomware family worldwide in the first half of 2013. Reveton displays behavior that is typical of many ransomware families, it locks computers and displays a webpage that covers the entire desktop of the infected computer, and demands that the user pay a fine for the supposed possession of illicit material. The webpage that is displayed and the identity of the law enforcement agency that is allegedly responsible for it are often customized, based on the user’s current location. The number of Reveton encounters declined slightly in 1Q13 before increasing and spiking again in 2Q13. Detections of Reveton increased especially in the Czech Republic, Slovakia, and Cyprus, which contributed to the worldwide rise. The Czech Republic was the location with the highest Reveton encounter rate in 2Q13 at 0.83 percent. For additional information about Reveton, please see the article, Revenge of the Reveton, on the Microsoft Malware Protection Center blog.

Win32/Weelsof was the second most commonly detected ransomware family worldwide in the first half of 2013. It was encountered in rapidly increasing numbers in the first quarter of 2013, then declined moderately in the second. Ireland, France, and Greece saw the highest encounter rates for this ransomware in 2Q13. Weelsof is known to target computers from specific countries and regions, displaying fake warnings that claim to be from the appropriate national police force. Detection signatures for Weelsof were added to the MSRT in November 2012. For additional information about Weelsof, please see the article on the Microsoft Malware Protection Center’s blog called MSRT November '12 - Weelsof around the world.

Win32/Tobfy, the third most commonly detected ransomware family worldwide in the first half of 2013, showed an increase in 2Q13 that made it the second most commonly detected ransomware family by a narrow margin during that quarter. The United States had the highest encounter rate for Tobfy in 2Q13, at 0.21 percent, followed by Mexico and Canada.

Detections of Win32/Urausy, which had been the most commonly detected malware family worldwide in 4Q12, declined significantly in 1Q13 before increasing slightly in 2Q13. Detections increased significantly in 2Q13 in many locations led by Austria, Switzerland, and Cyprus.

Figure 3: Win32/Urausy encounter rate trends for the 10 countries or regions where it was most often detected between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13)

As I mentioned earlier, ransomware is distributed by malicious attackers, not legitimate authorities. Since there is no guarantee that paying the ransom will return control of the system and files to the computer user, Microsoft recommends that victims of ransomware infections do not pay the so-called fine. Microsoft provides tools and utilities, such as the Microsoft Safety Scanner and Windows Defender Offline that, in many cases, can help remove a variety of malware infections even when the computer’s normal operation is being blocked.

Some basic computer hygiene will help to protect your PC from ransomware:

  • Install and use an up-to-date real time anti-malware solution from a vendor you trust. Some anti-malware software options are available on Microsoft’s security partner webpage.
  • Keep all of the software installed on your system up-to-date. This includes software from Microsoft, Adobe, Oracle Java, and others.
  • Don't click on links or open attachments from untrusted sources.
  • Regularly backup your important files. You can do this with a cloud storage service such as SkyDrive, which is now fully integrated into Windows 8 and Microsoft Office.

Visit www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx for more information about ransomware and how computer users can avoid being taken advantage of by these threats.

For information on an emerging ransomware threat family called Crilock, visit: http://blogs.technet.com/b/mmpc/archive/2013/11/18/backup-the-best-defense-against-cri-locked-files.aspx

Tim Rains
Director
Trustworthy Computing