The Spanish police and Europol have broken up a cyber crime gang responsible for waves of ransomware attacks across the world.
The authorities estimate the group had successfully extorted millions of euros from victims in over 30 countries. Using malware dubbed "Reveton", the group impersonated law enforcement agencies and demanded "fines" from infected users.
Ransomware is malware which prevents a user from accessing their PC or data, or threatens them with blackmail, unless a fine is paid. Variants range from software which encrypts files and demands payment to restore data, to showing threatening messages without a damaging payload.
In this instance, the Reveton malware displays messages purporting to represent law enforcement agencies, localised according to the geographic location of the user, claiming the user had accessed illegal material such as pirated software or child pornography, and demanding payment of a EUR100 or $200 fine via anonymous payment services.
Reveton is a Trojan based on the Citadel family of malware, itself a variant of the widespread Zeus Trojan code. Most ransomware groups profit from both the extorted money, and from abusing victims' credit card details after the fact. Although ransomware has been around since 1989, the police impersonation is relatively new.
"This is the first major success of its kind against a very new phenomenon that we have only identified in the last two years," said Rob Wainwright, director of Europol. "This is a mass marketing scam to distribute this thousands of times and rely on the fact that even if only 2% fall victim to the scam, it is still a very good pickup rate."
Authorities arrested the alleged creator of the malware in Dubai, a Russian national now awaiting extradition to Spain, and 10 other individuals, mostly Russian or Eastern European, operating cells in Spain. Computer equipment and compromised credit cards, which were used to extract extortion payments from ATMs, were also seized in a series of raids.
Ransomware is relatively uncommon in SA, and across the board malware infection rates are steadily declining, despite targeted attacks such as the Shylock banking Trojan, and a spate of fake support scams, in which a scammer phones a user claiming to represent Microsoft or another vendor.
Microsoft's Security Intelligence Report for mid-year 2012 showed steady quarter-on-quarter reduction in infection rates, through data gathered by its anti-virus products. Last year, Kaspersky Lab rated SA as one of the territories least at risk to Web infection, and a recent survey of CIOs by IDG and EMC showed a higher awareness of security among local CIOs, compared to other regions.