01/06/2015

Photo © Onidji - Fotolia Police in Tennessee have discovered a scary new form of ransomware scam that targets smartphone owners and uses images of child pornography in an attempt to extort money from them.

Ordinary ransomware scams “only” threaten to destroy or permanently encrypt victims' files unless the victims pay a ransom, usually with Bitcoin, a pre-paid money card, a wire transfer, or some other untraceable method of payment. But this new ransomware scam is arguably worse – not only are victims locked out of their phones, but have reason to fear arrest and imprisonment for possession of child pornography as well.

Investigator Frank Watkins of the Coffee County Sheriff's Office told Nashville station WSMV about the new scam. The hacker takes control of the smartphone, loads the illegal photos and then sends the owner an ominous message. “It quotes even United States Criminal Code statutes of what's been violated,” Watkins said.

The hacker's message continues: “This phone has been found to have accessed explicit or pornographic images and we can take care of this for $500.”

Can't be deleted

The phones' owners cannot delete the images, and they're usually afraid to contact police for fear they'll be arrested for possession of illegal images. As Watkins said: “How am I going to explain this on my phone and come up with the story of, hey, somebody took over my phone and planted these images?”

In this instance, the unnamed victim was a 12-year-old girl, who told investigators that she was watching a video on YouTube, walked away, and found the message when she returned. Coffee County investigators contacted the Tennessee Bureau of Investigation and various phone companies, none of whom had ever heard of this particular type of ransomware scam before.

Most ransomware scams do not load pornography or anything else onto a phone or computer, choosing instead to destroy or encrypt what's already there.

Last August, for example, a woman in Wisconsin fell victim to ransomware after getting a call from a scammer falsely claiming to be from Microsoft tech support. Once he had control of her computer, he deleted certain key files and demanded $200 if she wanted them back. Fortunately, she did not pay the ransom but instead went to the police, where a computer-savvy officer was able to undo the damage to her computer. But she got lucky; had the hacker chosen to encrypt rather than delete her files, it would've been impossible to retrieve them.

In October, US-CERT (the United States Computer Emergency Readiness Team, a division of the Department of Homeland Security), put out an alert about “Crypto Ransomware” which, among other things, showed just how profitable hackers found these extortion attempts:

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors. This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.

But even if the criminals do receive the ransom money, that doesn't necessarily mean they'll undo the damage they caused:

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

What to do

So how can you protect yourself from ransomware? By following the same protection rules for all malware, including:

Make sure your operating system, anti-virus and other security software are all up-to-date.

Never click on a link in an unsolicited email, text or other messages.

Never download a zip file or any other attachments in emails.

Make sure the settings on your phone, tablet or any other Internet-connected device are set so that nothing can be downloaded without your permission.

When getting messages allegedly from some company or service provider, remember the anti-scam rule “Don't call me; I'll call you” – and don't do business with anyone who breaks it.

In addition to these anti-malware rules, you should also remember to make regular backup copies of your data and files, just in case some nasty malware (or an ordinary bad-luck hard-drive crash) damages what's on your computer.

And if you have the misfortune to receive a ransomware message, do not pay the ransom or contact the hacker in any way; contact the police instead.